0% found this document useful (0 votes)

104 views244 pages

Brksec 3433

Uploaded by

Luis Roman

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

104 views244 pages

Brksec 3433

Uploaded by

Luis Roman

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 244

Protecting your Office 365

environment
Leverage the Firepower API, Cisco Cloud
Email Security and more
Christopher van der Made – CSE Security
@ChriscoDevnet

BRKSEC-3433
“SaaS, DIA and Zero Trust forces us to
think differently: security for data in
transit does not work for most SaaS,
therefore, enforce security on the far
ends of the spectrum: on the Endpoint
and the App.”
Christopher van der Made, 2018

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Pro Tip

*Also many backup slides!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
“Please raise your
hand if, …”

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
DC & Cloud Security Diagonal Learning map
BRKSEC-2602 / Friday – 11h30
Cloud Managed Security Architecture and
Design
BRKSEC-2605 / Thursday – 8h30
Securing Clouds: Untraditional
Defenses

BRKSEC-3093 - 14h45
ARM yourself using NGFWv in AZUR BRKSEC-2034 / Thursday -14h45
Cloud Management of Firepower
BRKSEC-2998 / Wednesday – 11h00 and ASA with Cisco Defense
Cloud Managed Security & SD-WAN from Orchestrator
Cisco Meraki
BRKSEC-2186 / Thursday - 11h15
A multi-cloud segmentation journey
TECSEC-2768 / Monday – 8h30 through big data with Tetration.
Securing applications and workloads
on the journey to the cloud
BRKSEC-3433 / Thursday – 8h30
Protecting your Office 365 environment: leverage the
BRKSEC-2048 / Wednesday – 8h30 Firepower API, Cisco Cloud Email Security and more.
Demystifying ACI Security

BRKSEC-1839 / Tuesday – 17h00

Introduction to Application Security and
DevSecOps

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Who am I?
• Christopher van der Made.
• CSE Security, joined through
graduate Program in 2015.
• Studied Neuro-, Computer-
and Information-Science @
University of Amsterdam.
• Love being outdoors, building
stuff and cutting down trees
(responsibly!).
• Love coding and active
contributor to DevNet.
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• Learn more about the challenges
of Cloud SaaS.
• Learn how to optimize traffic
going to O365 and maximize
availability of SaaS.
Goals of this session: • Learn how CES with AMP,
Cloudlock, Adaptive MFA (Duo)
and Stealthwatch Cloud can
increase the confidentiality and
integrity of your data in O365 and
Azure.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Agenda

 Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Introduction to Microsoft
Office 365
“Please raise your
hand if, you are
using O365 in your
organization or at
one of your
customers”

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
“Please raise your
hand if, you would
like to share
challenges you
have faced with
O365…”

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Microsoft O365 Networking Best Practices

• All offices of your organization should have local Internet connections.

• Each local Internet connection should be using a regionally local DNS server for
outbound Internet traffic from that location.
• Whenever possible, configure your edge routers to send trusted Microsoft O365
traffic directly, instead of proxying or tunneling through a gateway.
• Configure your edge devices to forward traffic without processing. This is known as
traffic bypass.

Source: https://docs.microsoft.com/en-us/microsoft-365/enterprise/networking-provide-bandwidth-cloud-services

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Microsoft O365 Networking Best Practices

“To configure and update the configurations of edge devices, you can use a script or a
REST call to consume a structured list of endpoints from the Office 365 Endpoints
web service. For more information, see Office 365 IP Address and URL Web service.”

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Microsoft O365 Web Service API

• Service Areas:
• Exchange Online and Exchange Online Protection
• SharePoint Online and OneDrive for Business
• Skype for Business Online and Microsoft Teams
• Common, O365 Pro Plus, Office Online, Azure AD and others.

• Categories:
• Optimize: bypass or whitelist on edge devices (75% of all O365 traffic)
• Allow: bypass or whitelist on edge devices (less sensitive though to latency etc.)
• Default: can be treated as “normal” traffic (not always hosted by MSFT)

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Agenda

 Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Agenda

• Introduction to Microsoft Office 365

 How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
How to secure O365?
The CIA model and O365

• Identify compromised • Provide secured authentication

accounts; regardless of location;
• Detect malicious insiders; • Ensure best connectivity to
• Get visibility into emerging Cloud (O365);
threats; • Bypass traffic to Cloud (O365)
• Find undetected malware. from deep packet inspection.

Information
Security

Confidentiality

• Get file upload visibility;

• Make sensitive data visible;
• Validate public data sharing;
• Ensure correct email
encryption.
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
“Paradox: How to increase security when
turning OFF transit security, in the name
of ‘Availability’?”
Christian Heinel, 2019

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Solution Short CIA Summary benefit to O365
Model

Firepower Threat FTD/ A Bypass O365 traffic with Python script or with built-in App Detector.
Defense FMC

Umbrella UMB A Bypasses O365 traffic by default. Can do O365 tenant restrictions.

Web Security WSA A Bypasses O365 traffic with allow rule. Can do O365 tenant restrictions.
Appliance

Cloud Email Security CES CI Inspection on all email traffic, O365 API based integration for AMP
(with AMP) Retrospective Remediation. Spam reduction.

Advanced Malware AMP CIA AMP for Email with AMP for Endpoints provides holistic malware
Protection protection. Threat Grid for dynamic file analysis.

Cloudlock CL CI UEBA on O365 authentications, DLP on files and OAuth App Firewall on
connected (shadow IT) apps.

Duo Security DUO CIA Adaptive MFA and SSO on all O365 (and other) apps. Authenticate
users regardless of their location.

Stealthwatch Cloud SWC CI Can natively monitor Azure (+ AWS and GCP) flow logs, model entities
automatically and detect anomalies based on behavioral analysis.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cisco Threat
Response
Internet
SWC
APIs

Internet Traffic
Cloudlock

Retrospective AMP
> Umbrella

Remediation
Whitelisted Internet Traffic

APIs
SMTP Traffic
Unified Block Page > AMP(4E) 1. Detect
> Threat Grid 2. Investigate
> FTD 3. Remediate
> CES / ESA
> more!
SAML DUO Access Gateway

MFA
Umbrella CES
Proxy

Internet Traffic
Non-Cloud

MFA
 Umbrella and OpenDNS
WSA FTD  AMP(4E)
 Threat Grid
 FTD and Snort
AnyConnect Umbrella AMP4E
 CES / ESA
Client  WSA
AMP4E VPN Traffic
 Cloudlock
 Stealthwatch
Internal Network  Cognitive 27
Roaming User (+ Branch)
What value does Talos bring to O365?
Main Source Daily Type Benefit to O365?
Amount
ESA/CES 600B Email Sender Domain Reputation, Phishing, BEC

UMB/OpenDNS 150B DNS Request Domain Reputation, Block Malicious Web

AMP 1.5M Unique Malware Malware Protection

WSA 16B Web Request Domain Reputation, Block Malicious Web

Cloudlock 300K Cloud Apps Risk Score on Shadow IT Apps

SW Cloud ~ Security Talos IP and Domain blacklist can be added to

Intelligence watchlist

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
 Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Gateways/Proxies
Is the traffic to Office 365 going directly
to the internet, or is a Gateway or Proxy
inspecting the traffic in transit?
All Microsoft Support Persons, Always

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
 Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Firepower Threat
Defense
Firepower Threat Defense Traffic Flow
• Firewalling + NGIPS
Internet • Application Control
• AMP and Threat Grid
• URL Filtering
• Security Intelligence

Allowed Traffic
• Virtual Patching

Trusted
Traffic
(e.g. O365) Unified Block Page
Blocked Traffic Based on
Reputation or Inspection

FTD

Internal Network
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Application Visibility and Control

• Support for 6800+ applications and detectors

• Applications are grouped according to:
• Risk
• Business relevance
• Types, categories and tags
• User-Created Filters

• Support for Custom Detectors.

• Support for OpenAppID

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Office 365 App Detector

• Works based on Common Name in Certificate (<TLS1.3, no decryption needed).

• Uses the FQDN list managed by Microsoft in the backend.

• Updates come through the VDB update every month*.

* Does NOT automatically trigger an update if Microsoft updates.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Give rule high priority!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
AVC Trust Rules operation in FTD

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Automate: VDB Download and Install Pro Tip

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
But WAIT,
Firepower also has
a REST API!
“Please raise your
hand if, you have
experience with
coding!”

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
What is REST API?

Client: Our Script Server: FMC

GET, POST, PUT, DELETE

Request API Service
CRUD
Action

Action Response
JSON, XML, TEXT

API = Application Programming Interface

REST= Representational State Transfer
CRUD = Create, Read, Update, Delete
JSON = JavaScript Object Notation
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
FMC API Explorer Pro Tip

https://<address-of-FMC>/api/api-explorer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
FMC API Explorer Pro Tip

https://<address-of-FMC>/api/api-explorer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
How to Build an Office 365 “whitelist” with the
Firepower REST API
• Microsoft publishes a list with URL, IPv4 and IPv6 addresses that are used
for the infrastructure of the Microsoft cloud applications (e.g. Office 365).
• This list can be used in a “Whitelist” on Edge Devices (e.g. NGFW).
• Microsoft updates the Office 365 IP address and FQDN entries at the end
of each month and occasionally out of cycle for operational or support
requirements.
• Microsoft recommends you check the version daily, or at the most, hourly.

Source Web Service API: https://docs.microsoft.com/en-us/office365/enterprise/managing-

office-365-endpoints#webservice

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
O365 Whitelist in Firepower Threat Defense
1. Create an URL and an IP object in FMC (or let the script do that!):

2. Add these to a a Trust rule and Pre-Filter Rule respectively.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Give rule high priority!

Sleep for
First Time New scheduled
Script version interval
Runs? available? and
repeat…

Prompt
Scheduled
user which Retrieve
Script Script
apps and List of IPs
Service Ends.
region are and URLs.
Enabled?
used…

Update
Auto
Parse list FMC
Auto Policy Policy
and create objects +
Deploy Deploy in
JSON Webex
Enabled? FMC.
objects. Teams
*warning*
alert.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
JSON format O365 Web Service

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
JSON format O365 Web Service

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Show me some
code!
Check for updates

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Update IP group object in FMC

Code (v4.1) and guide on:

https://github.com/chrivand/Firepower_O365_Feed_Parser
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
DEMO: O365 Web Service Parser for
Firepower

Click for demo!

Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
 Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Umbrella
Umbrella DNS Traffic Flow

Internet

Intelligent Proxy

Whitelisted
DIA Traffic
(e.g. O365)

Unified Block Page

DIA / DCA
Internal Domains

DC HQ, Branch Office or

Roaming Client
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
How to bypass O365 traffic with Umbrella DNS?

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Umbrella DNS Advantages for O365

• Traffic is redirected directly from customers egress.

• Umbrella is directly peered to MSFT network in 90% of the locations.
• EDNS Client Subnet retains contextual source info.
• Regardless of used Umbrella DC, best O365 DC is provided.
• Some Results*:
• An average of 60 to 80% improvement in O365/IPV4 ICMP round trip times
• 25 to 40% reduction in the number of network hops for O365/IPV4 network hops
• 50 to 75% improvement in http round trip times
• 70 to 85% reduction in download times

*Source: https://learn-umbrella.cisco.com/solution-briefs-2/umbrella-o365-performance-use-case-3

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Umbrella Secure Internet Gateway (SIG)

Internet
Umbrella
+ Cloudlock OAUTH

IPSec
Tunnels
• DNS-based security
SD-WAN • Cloud delivered Firewall
edge • Secure Web Gateway
• CASB (Proxy + API)
• O365 bypass with Web
Roaming Users Service API!
AnyConnect Cisco Routers / SDWAN

*Check out: BRKSEC-2023 !

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
App Discovery and Control (Cloudlock
integration)

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Umbrella SWG O365 Bypass
Internet

• Currently needs to be
enabled by Umbrella
Support, future GUI option SWG Bypass
will be added soon. based on FQDN
4b
Sync with Web
• Uses the Microsoft API to NAT Service API

bypass all O365 FQDN’s! DNS BYPASS 443 ALLOWED SWG BYPASS

• Traffic is still carried through 443

3b 4a

the SWG for logging DNS CDFW SWG

purposes, but not proxied: Umbrella Cloud
no inspection or decryption 2
Destination
IP returned
that influences O365 O365 domain 1 3a Port 443
functionality. requested

SD-WAN ON/OFF NETWORK DEVICES

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Request bypass via:
[email protected]

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Umbrella SWG O365 Tenant Restriction via Azure
AD (coming soon!)
4. Azure AD evaluates if
user credentials match
the tenant restriction.
3. Connection to Azure
AD is not bypassed, and
SWG places HTTP
header indicating the
allowed tenant.
2. User gets redirected to
SWG Azure AD for authentication:
login.microsoftonline.com
5. Azure AD will issue
service token if credentials
match the header.

1. User browses to SWG

bypassed O365 domain.

6. User is successfully
authenticated and can
access O365 resources.

Source: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco SD-WAN + Umbrella Advantages for O365

• While Umbrella can provide the best DC based on EDNS, SD-WAN can provide the
best WAN link to use.
• All WAN links will be continuously monitored with probes.
• O365 traffic will be dynamically routed to the best-performing path without requiring
human intervention.
• Cloud onRamp for SaaS provides real-time and historical visibility into application
performance through a Quality-of-Experience metric.
• Can automatically set-up IPSec tunnels to Umbrella’s CDFW and SWG.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
 Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Web Security
Appliance
Web Security Appliance Traffic Flow
• Web Reputation
• Application Control
Internet
• AV and AMP
• Data Loss Prevention
• Cognitive Intelligence
•

Allowed Traffic
Cloudlock Integration

Bypassed
Traffic
(e.g. O365) Unified Block Page
Blocked Traffic Based on
Reputation or Inspection

WSA

Internal Network
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Custom and External URL Categories:
Edit Category

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Custom and External URL Categories: Add
Category

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Allow and Pass Through rules for O365

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Also possible in Proxy Bypass for WCCP traffic!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
WSA O365 Tenant Restriction via Azure AD
4. Azure AD evaluates if
user credentials match
the tenant restriction. Configure via WSA CLI:
3. Connection to Azure > advancedproxyconfig
AD is not bypassed, and
WSA places HTTP > customheaders
header indicating the > new
allowed tenant.
2. User gets redirected to > Restrict-Access-Context: <Azure AD ID>
WSA Azure AD for authentication:
login.microsoftonline.com
5. Azure AD will issue
service token if credentials
match the header.

1. User browses to WSA

bypassed O365 domain.

6. User is successfully
authenticated and can
access O365 resources.

Sources: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
 Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Cloud Email Security
with AMP
Mapping Features to Protection

Sender Connection CASE Anti-Virus File File Graymail Content Outbreak

Reputation Control (AS,GM,OF) (Sophos, McAfee) Reputation Analysis Detection Filtering Filtering

Throttling, Over 1600 Control 9-12 hr lead

80-90% Multi-Verdict Block 100% of SHA based file Business and
DHAP, SPF, Behavioral marketing, time on
Block Rate scanning known viruses blocking Security Rules
DKIM, DMARC Indicators social and bulk Outbreaks

Connection Filters Spam Filter Anti-Malware Defense Marketing Filter Rules 0-day Malware

Spoof Detection URL Analysis Advanced Malware Protection (AMP) Anti-Phishing and URL Analysis

Post-Delivery Analysis & Interaction

File Data Loss Envelope Safe Web AMP Mailbox Auto

CASE Anti-Virus
Reputation
(AS,GM,OF) (Sophos, McAfee) Prevention Encryption Unsubscribe Interaction Retrospection Remediation
& Analysis

Over 300 Delete or

Outbound Block 100% of Over 140 pre- Push Based Perform unsub Track User Alerts on File
Behavioral Forward from
Spam Filters known viruses built filters Encryption for users clicks Disposition
Indicators O365

Outbound Threat Filters Outbound Data Protection Marketing URL Analysis Advanced Malware Protection (AMP)

Anti-Malware Defense

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Microsoft O365 E3 licenses Cisco CES Premium licenses
Sender Base Reputation

Sender Domain Reputation

Anti-Spam Filters Anti-Spam Filters

Graymail Detection

Antivirus Protection Antivirus Protection

Safe Links (ATP) * URL Reputation & Category filters

Outbreak Filter (Anti-Phishing)

Web Interaction Tracking and Shortened URL support

Safe Attachments (ATP) * AMP File Analysis

Retrospective Alerts Retrospective Alerts and Remediation up to 7 Days

Basic Message Tracking Detailed Message Tracking**

Basic Reporting Detailed Reporting**

S/MIME, TLS S/MIME, TLS

DLP DLP with higher catch rate**

Envelope Encryption

DANE (mandatory in most EU countries)

STIX/TAXII Third Party feeds

Advanced Phishing Protection***

Domain Protection (DMARC hosting and reporting)***

* This feature is only available with E5 licenses
** Also check out this source: https://www.cisco.com/c/en/us/products/security/email-security/competitive-comparison.html
*** Separate license (for now) BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Office 365 without Cisco Email Security

MX 10 cust45.office365.com
MX 20 cust46.office365.com

Customer Sender

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Office 365 with Cisco Email Security

MX 10 esa1.cisco-ces.com
MX 20 esa2.cisco-ces.com
CES

Customer Sender

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Azure Identity Connector for CES

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Azure Identity Connector for CES

• Available today as controlled release and no additional cost!

• Documentation: https://ces.readme.io/v1.0/docs/azure-to-ldap-connector
• Request: http://cs.co/ces-requests

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Office 365 with Cisco Email Security

MX 10 esa1.cisco-ces.com
MX 20 esa2.cisco-ces.com
CES

Retrieve Group and

Directory Data from
Azure GraphAPI and
store in LDAP server in
Customer CES for recipient Sender
verification.
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Office 365 with Cisco Email Security

CES

- “private” listener - “public” listener

- no mx record - MX1 and MX2
- DNS: ”ob1.hcxxxxx.iphmx.com” - Incoming from Internet
- allow relay for O365 - Outgoing to Internet
Customer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Office 365 with Cisco Email Security

CES

IP shared among CES has

many O365 tenants dedicated IPs

Customer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Office 365 with Cisco Email Security

CES

What happens if
O365 Tenant gets
compromised?!

Customer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Office 365 with Cisco Email Security Pro Tip

CES

Add X-header Set message filter that

with unique string allows only mails from
in outgoing mails acme.com AND with
Customer unique X-header

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Mail Policies with AMP

Strict AMP Policy

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Advanced Malware Protection Flow EU Location: Dublin
US Location: VA, TX and CA

1. Email with
attachment arrives

2. File Reputation Query (SHA256)

AMP CLOUD
3. AMP Verdict: Unknown

CES
Poke:
Verdict
6. Email dropped or 4. Email to Update
further processed Quarantine

THREAT GRID
CLOUD

EU Location: Frankfurt
US Location: VA, TX and CA

Customer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Retrospective Verdict Change
Verdict Update for a threat that
has a disposition change at
later point in time

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
AMP Unity Retrospective Event Flow
4. No Quarantine Policy, 1. Email with
Email Delivered attachment arrives
2. File Reputation Query (SHA256)

3. AMP Verdict: Unknown AMP CLOUD

9. Remediation 7. AMP Retrospective Verdict
(all mailboxes) CES Update: Malicious

5. User Opens Email THREAT GRID

Attachment: CLOUD
IOC Detected and
Quarantiend by AMP4E

Azure Application Permissions:

• Send mail as any user
AMP4E • Read and write mail in all
mailboxes
• Read mail in all mailboxes
• Full access to all mailboxes
Customer
Source: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
AMP Unity Integration Pro Tip

• Integrate ESA / WSA / FP with AMP4E Console

• Group multiple ESA / WSA / FP together & share common policy
• Whitelist / Blacklist SHA256 values
• Share IoC & get File Trajectory across Organization

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
CES + Cisco Threat Response Integration

Search for File Names

Correlate events from
AMP4E and CES!

Search for Email Subjects

Please check out: BRKSEC-2433!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Cisco O365 Threat
Analyzer
Cisco O365 Threat Analyzer

• Assessment tool to show value of

Cisco Email Security
• Graph API integration only -> Does
not change infrastructure.
• Graph API Permissions:
• Read Directory Data
• Read All Groups
• Read Mail in all Mailboxes
• Cloud based instance (on dCloud)
or a VM.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Installation: create Azure app with read-only
Graph API permissions

All installation instructions: https://docs.ces.cisco.com/docs/dcloud-cisco-threat-analyzer

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Office 365 with the Threat Analyzer

Sender

Retrieve Mail, Group

and Directory Data Cisco Threat
Customer from Azure GraphAPI Analyzer
(read-only!)
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Example Cisco Threat Analyzer report E3+ATP

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Example Cisco Threat Analyzer report E3+ATP

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
 Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Cloudlock
Challenges organizations have with SaaS…

User / Entity Behavior Data Content and Sharing OAuth Connected Apps
Tracking Tracking and Shadow IT
• Who is doing what in • Do I have toxic and/or • How can I monitor app
my cloud applications? regulated data in the usage and risk?
cloud?
• How do I detect account • Do I have any 3rd party
compromises? • Do I have data that is connected apps?
being shared
• Are malicious insiders inappropriately? • How do I revoke risky
extracting information? apps?
• How do I detect policy
violations?

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Solving: User / Entity
Behavior Tracking
• Checking all user activity across
SaaS apps for:
• Login location
• Login public IP
• Distance between login’s
• Any specific event (e.g. file shared with
anonymous link)
• Specific user groups
• Etc.

© 2020 Cisco and/or its affiliates. All rights reserved. BRKSEC-3433

Cisco Public 109
Cloudlock Normalizes the Events for Global
Policies

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Solving: Data Content
and Sharing Tracking
EXAMPLE

• The EU PII Policy matches personal identifiers

from the twenty-seven countries of the
European Union.
• The policy monitors common identifiers
associated with GDPR to better assist
customers with compliance in their own
organizations.
• E.g.: Person Name, Drivers License, IBAN,
License Plates, National ID, Etc.
• For full list: https://docs.cloudlock.info/docs/eu-
personal-identifiers

© 2020 Cisco and/or its affiliates. All rights reserved.BRKSEC-3433

Cisco Public 111
Solving: OAuth Apps
and Shadow IT
• OAuth connected apps detection
• All OAuth apps can be classified
based on risk, permissions and
more.
• DNS, Proxy and Firewall logs can
be consumed for Shadow IT
detection (Umbrella does this
automagically!).

Does this look familiar?

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 1 Step 2

Step 3 Step 4: Phished!

How to Phish using OAuth: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Example Policy*: Restrict App Access

• OAuth connected apps can be revoked directly from the dashboard.

• The Access Scope can be very dangerous of these kind of apps
(remember Pokémon Go?)
• Risk Score is meant to assist administrators of Cisco Cloudlock in
determining which applications to Trust and which to Ban:
• Some of the risk based on permission levels requested by the application
• Community Trust Rating: contrived by the community of Cisco Cloudlock customers with Apps
Firewall and their classification of the app.
• Industry Risk Score: internal research from the Cyberlab about the app and the vendor behind
it. This includes financial viability, various certifications (such as HIPPA, PCI, etc) and how the
cloud service is typically used (e.g. data storage, type of data)

*More examples in backup slides!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
But how does it
actually work?
CASB – API Access (cloud to cloud)

Unmanaged Public APIs

Users

ADMIN
Unmanaged OAUTH
Devices
ACCESS
Authorized

Unmanaged
Network

Cisco WSA / NGFW / Umbrella

Managed Managed Managed

Users Devices Network

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Sign in to Cloudlock using OAuth

• Open Cisco Cloudlock.

• Log in using your O365 Global Admin

credentials.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Set-up Cloudlock and O365

• In Cloudlock, open the Settings > Platforms window.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Set-up Cloudlock and O365

• Select Authorize from the Actions column of the

O365 platform
• Your Office 365 window opens automatically.
• Enter your O365 credentials and select Keep me
signed in. Then select Sign in.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Set-up Cloudlock and O365

• The access permissions requested by “Cisco

Cloudlock for Office 365” are listed in the window
that appears.
• Select Accept.
• You are returned to Cisco Cloudlock: you have
finished integrating Cisco Cloudlock into your Office
365 platform.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
The result!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Office 365 Firewall Pro Tip

• If your Office 365 tenant has Firewall rules that prevent third-party applications-
please whitelist the following ranges so Cloudlock may have access:
• 52.73.52.135 - 52.73.52.135
• 52.71.142.118 - 52.71.142.118
• 52.40.204.69 - 52.40.204.69
• 52.35.119.173 - 52.35.119.173
• 52.27.150.153 - 52.27.150.153

Source: https://docs.umbrella.com/cloudlock-documentation/docs/quick-start-guide-office-365

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Example DLP Policy + Webex Teams

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Drop credit cards numbers in Webex Space…

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Slap on the wrist from Cloudlock!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Detailed reporting in Cloudlock

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
 Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Adaptive MFA: Duo
Security
“Please raise your
hand if, you are
sure you have
never been
Phished at some
point in time!”

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Spotting Phishing sites is becoming very difficult…

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
But how do we
stop this?
#1: Verify User
Trust!

• Multi Factor Authentication

with Push, Call, SMS, HOTP,
TOTP, Tokens, YubiKey, etc.
• Integrates with all major ID
providers (AD, Azure AD,
Okta, Ping etc.)

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
#2: Verify Device
Trust!

• Can check device posture for

many aspects.
• Can provide upgrade paths
when software is out of date.
• Can check if devices are
managed or have a certificate.
• Protects against unsafe and
exploited devices.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
#3: Control EVERY
Application!

• Integrates applications with

SAML, Radius, LDAP, SSH,
Web, or Natively with API.
• Enables a Zero-Trust
approach to user - application
access.
• Many pre-build integrations
exist already:

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
DUO Access Gateway (DAG) App Launcher

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
DUO + O365 Authentication Flow (On-prem AD)

2. Primary
authentication
AD
1. O365 redirects
to DAG or user 6. Session
logs in directly to authenticated and user
DAG SSO redirected into O365

5. DAG receives
3. DAG establishes
authentication
connection to DUO
response from DUO
Cloud

EU Locations: Dublin and

4. Secondary Frankfurt
authentication via
DUO (push, call etc.)

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
DUO + O365 Authentication Flow (Azure AD)

2. Primary authentication
Azure AD (OpenID Connect)

1. O365 redirects
to DAG or user 6. Session
logs in directly to authenticated and user
DAG SSO redirected into O365

5. DAG receives
3. DAG establishes
authentication
connection to DUO
response from DUO
Cloud

4. Secondary
authentication via
DUO (push, call etc.)

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
DUO + O365 Authentication Flow (Azure AD
Conditional Access)
7. Client sends Duo
approval back to Azure.

2. User submits primary Azure

3. Azure conditional access
AD credentials
policy redirects the client
browser to Duo

1. User browses 8. Azure grants

to O365 to login application or service
access once the Duo
conditional access
policy is satisfied.

5. Secondary
authentication via
DUO (push, call etc.)

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Steps to secure O365 with DUO with DAG

1. Download and deploy the DAG (e.g. on Azure or Cisco Hosted (beta))
2. Enable O365 Single Sign On with DAG as IdP
3. Create the O365 Application in DUO
4. Add the O365 Application to the DAG
5. Verify SSO

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
DEMO: Create the O365 Application in
DUO + Deploy DAG

Try it: https://admin.duosecurity.com/login

Add the Office 365 Application to Duo Access
Gateway
1. Return to the Applications page of the DAG admin console session.
2. Click the Choose File button in the "Add Application" section of the page and
locate the Office 365 SAML application JSON file you downloaded from the Duo
Admin Panel earlier. Click the Upload button after selecting the JSON
configuration file.
3. The Office 365 SAML application is added.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
DEMO: Verify SSO O365

Try it: https://demo.duo.com/dag/login

DUO + AMP4E Adaptive MFA

Duo Certificate
required for host
FQDN for AMP
2. Primary authentication:
connector matching!
Azure AD (OpenID Connect)

1. User browses to
O365 (or DAG) to login 5. User is prompted
with the Duo Access
Denied page

4. Endpoint
3. DAG establishes
Compromised: Duo
connection to DUO
responds with
Cloud
Access Denied

Duo checks endpoint AMP CLOUD

status every 5 minutes for
compromised endpoints

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Add AMP4E
Integration to Duo

1. Gather AMP credentials

from your AMP admin panel

2. Enter AMP credentials in

Cisco Duo admin panel

3. Set policies in Cisco Duo to

protect against risky devices

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Set Duo Adaptive MFA Policies with AMP4E

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Result: Duo Authentication Logs shows AMP4E

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
DEMO: Duo integration with AMP4E

Try it: https://demo.duo.com/cisco-amp

Agenda

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Agenda

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
 Stealthwatch Cloud

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Stealthwatch Cloud
PUBLIC CLOUD

Native Native Telemetry via APIs Native

Telemetry Telemetry
via APIs via APIs

Stealthwatch
PRIVATE CLOUD ON-PREMISES NETWORK
Cloud

SWC Sensor
Sensor Pod
+ Firepower
in K8
Containers -or-
Events
ONA
Virtualization SWC Sensor
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Entity -> Observations -> Baseline -> Alert

Detect abnormal activity using entity modeling

Start

Flow Logs Data continues to be

Model accessed from
Ingested – IP
understands data regular locations New External
Detected
IP Communicates stays within Connection
with set of IPs environment osbservation
(who, when, how New High
much) Throughput
Connection
External IP Observation
becomes
persistent

Database server
identified 36 Day Baseline Alert Triggers for
Monitor and model
behavior
Database Exfiltration

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
NSG Flow Logging (“Azure Netflow”)

• Flow logs include the following • Traffic Flow - The direction of the traffic flow. Valid values
are I for inbound and O for outbound.
properties: • Traffic Decision - Whether traffic was allowed or denied. Valid
values are A for allowed and D for denied.
• mac - The MAC address of the NIC for the VM
Flow State - Version 2 Only - Captures the state of the flow.
where the flow was collected •
Possible states are B: Begin, when a flow is created. Statistics
aren't provided. C: Continuing for an ongoing flow. Statistics
• flowTuples - A string that contains multiple are provided at 5-minute intervals. E: End, when a flow is
properties for the flow tuple in comma-separated terminated. Statistics are provided.
format • Packets - Source to destination - Version 2 Only The total
• Time Stamp - This value is the time stamp of when the flow number of TCP or UDP packets sent from source to
occurred in UNIX EPOCH format destination since last update.

• Source IP - The source IP • Bytes sent - Source to destination - Version 2 Only The total
number of TCP or UDP packet bytes sent from source to
• Destination IP - The destination IP destination since last update. Packet bytes include the packet
• Source Port - The source port header and payload.

• Destination Port - The destination Port • Packets - Destination to source - Version 2 Only The total
number of TCP or UDP packets sent from destination to
• Protocol - The protocol of the flow. Valid values are T for TCP source since last update.
and U for UDP
• Bytes sent - Destination to source - Version 2 Only The total
number of TCP and UDP packet bytes sent from destination to
source since last update. Packet bytes include packet header
and payload.

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
NEW: Adding Azure Watchlists

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
NEW: Additional Azure Alerts

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
NEW: Confirmed Threats and Encrypted Traffic
Analytics
Confirmed Threat Service Encrypted Traffic Analytics
powered by Cognitive Intelligence in Stealthwatch Cloud
• Available now for all SWC customers! • Available now for all SWC customers!
• Correlation with all SWC monitored traffic • Requires ETA telemetry from Cisco devices
for domain and IP matches
• New Alerts & Observations:
• Protocol Forgery
• Vulnerable Transport Security Protocol
• Indicator Matches: Hostname or URL

Try it: https://security.cisco.com/

Agenda

• Introduction to Microsoft Office 365

• Closing

• Introduction to Microsoft Office 365

 Closing

Internet Traffic
Cloudlock

Retrospective AMP
> Umbrella

Remediation
Whitelisted Internet Traffic

APIs
SMTP Traffic
Unified Block Page > AMP(4E) 1. Detect
> Threat Grid 2. Investigate
> FTD 3. Remediate
> CES / ESA
> …?
SAML DUO Access Gateway

MFA
Umbrella CES
Proxy

Internet Traffic
Non-Cloud

MFA
 Umbrella and OpenDNS
WSA FTD  AMP(4E)
 Threat Grid
 FTD and Snort
AnyConnect Umbrella AMP4E
 CES / ESA
Client  WSA
AMP4E VPN Traffic
 Cloudlock
 Stealthwatch
Internal Network  Cognitive
Roaming User (+ Branch)
Christopher, can you
give me an EXAMPLE of
an organization that
uses all of this?
Please check out: BRKCOC-2384!

AS 109 AS 24115

CAS

Cisco Premise identity.cisco.com

The Greater Internet
O365 Hybrid
CAS/TRNS

MBX
ESAs
HSMs ESAs
inbound

• DIA, SaaS and Zero Trust architectures make us rethink Security.

• We can (and need to) bypass SaaS traffic, like O365, on our Gateways and Proxies
to maximize availability.
• We can (and need to) provide security on the two sides of the spectrum: on the
endpoints and on the applications in order to increase the confidentiality and
integrity of your data in O365 and Azure.

• Cisco Security is ready to help our customers in this journey.

• FMC Script GitHub Repository: https://github.com/chrivand/Firepower_O365_Feed_Parser

• DevNet Code Exchange: https://developer.cisco.com/codeexchange/github/repo/chrivand/Firepower_O365_Feed_Parser

• DevNet website: https://developer.cisco.com

• Office 365 best practices: https://docs.microsoft.com/en-us/microsoft-365/enterprise/networking-infrastructure

• FMC 6.5 config guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65.html

• WSA 11.8 config guide: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-8/user_guide/b_WSA_UserGuide_11_8.html

• Umbrella config guide: https://docs.umbrella.com/

• CES 12.5 config guide: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-5/user_guide/b_ESA_Admin_Guide_12_5.html

• Cloudlock config guide: https://docs.umbrella.com/cloudlock-documentation/docs

• DUO and O365 integration: https://duo.com/docs/o365

• DUO Access Gateway using Azure AD: https://duo.com/docs/dag-windows#microsoft-azure-(openid-connect)

• DUO O365 Native integration with Azure AD: https://duo.com/docs/azure-ca

• SWC + Azure config guide; https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/configuration/SWC_PCM_Azure_DV_1_1.pdf

• Introduction to Microsoft Office 365

 Closing

• Introduction to Microsoft Office 365

• Closing

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Demos in the
Walk-in labs
Cisco campus

Meet the engineer

Related sessions
1:1 meetings

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
DC & Cloud Security Diagonal Learning map
BRKSEC-2602 / Friday – 11h30
Cloud Managed Security Architecture and
Design
BRKSEC-2605 / Thursday – 8h30
Securing Clouds: Untraditional
Defenses

BRKSEC-1839 / Tuesday – 17h00

Introduction to Application Security and
DevSecOps

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Security Breakout
Thursday 30 January 2020
start time length in hours
BRKSEC-3432 Advanced ISE Architect, Design and Scale ISE for your production networks 08:30 AM 2
BRKSEC-3035 Firepower Platforms Deep Dive 08:30 AM 2
BRKSEC-2605 Securing Clouds: Untraditional Defenses 08:30 AM 1
BRKSEC-2433 Threat Hunting and Incident Response with Cisco Threat Response 08:30 AM 2
BRKSEC-3433 Protecting your Office 365 environment: leverage the Firepower API, Cisco Cloud Email Security and more. 08:30 AM 2

BRKSEC-2056 Threat Centric Network Security 09:45 AM 1

BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through 11:15 AM 2
BRKSEC-3455 Dissecting Firepower NGFW: Architecture and Troubleshooting 11:15 AM 2
BRKSEC-3054 IOS FlexVPN Remote Access, IoT and Site-to-Site advanced Crypto VPN Designs 11:15 AM 2
BRKSEC-3771 Advanced Web Security Appliance Deployment & Troubleshooting with a side of Advanced Threat Technologies 11:15 AM 2
BRKSEC-2186 A multi-cloud segmentation journey through big data with Tetration 11:15 AM 2

BRKSEC-3500 DoT and DoH: Innovations in DNS Security 02:45 PM 1,5

BRKSEC-3629 Designing IPSec VPNs with Firepower Threat Defense integration for Scale and High Availability 02:45 PM 1,5
BRKSEC-2327 SPF is not an acronym for "Spoof"! Let's utilize the most out of the next layer in Email Security! 02:45 PM 1,5
BRKSEC-3144 Malware Execution As A Service: A Deep Dive into Threat Grid Advanced File Analysis 02:45 PM 1,5
BRKSEC-2034 Cloud Management of Firepower and ASA with Cisco Defense Orchestrator 02:45 PM 1,5

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
“SaaS, DIA and Zero Trust forces us to
think differently: security for data in
transit does not work for most SaaS,
therefore, enforce security on the far
ends of the spectrum: on the Endpoint
and the App.”
Christopher van der Made, 2018

• Introduction to Microsoft Office 365

• How to secure O365?
• Gateways/Proxies:
• Firepower Threat Defense
• Umbrella
• Web Security Appliance
 Unified Block Page
• Cloud Email Security with AMP
• Cloudlock
• Adaptive MFA: Duo Security
• Stealthwatch Cloud

• Support for 6000+ applications and detectors

• Applications are grouped according to:
• Risk
• Business relevance
• Types, categories and tags
• User-Created Filters

• Support for Custom Detectors.

• Support for OpenAppID

Change GUI!!!

Augment firewall Automate firewall

contextual data configuration

Host discovery Manipulate objects

Vulnerability
Change policy
analysis

More accurate IPS

1. Create an URL and an IP object in FMC (or let the script do that!):

2. Add these to a a Trust rule and Pre-Filter Rule respectively.

• Retrieve IPs and URLs from O365 REST-based web service (JSON).
• This can be the Worldwide list (default), or change this to DoD, Germany etc.
• This can be all O365 apps (default), or change this to Exchange only etc.
• Retrieves only the Optimize and Allow addresses.

• Parse this list into 2 flat lists (URL and IP (mixed IPv4 and IPv6)).
• Loop through list and create right JSON format for FMC API PUT requests.
• Create/Update the IP and URL objects in FMC -> Webex Teams Alert.
• Policy deploy to FTD sensors (caution with automation!).
• Check for updates using the O365 Version API Endpoint (max every hour).
• ⟲ In case of update, repeat process, else, sleep for an hour.

• When using Autodiscover with VA’s and/or the Roaming Clients, please ensure that your
Autodiscover domain is added to the internal domains list
(autodiscover.outlook.com.glbdns.microsoft.com).

Source: https://support.umbrella.com/hc/en-us/articles/230563567-Using-Office-Autodiscover-or-
Office-365

• Introduction to Microsoft Office 365

1 2 3
Verify Verify Controls for
User Trust Device Trust Every App

Multi Factor Mobile security Easier Remote

Authentication (MFA) without MDM Access

Adaptive MFA Unified Endpoint Zero Trust /

Visibility BeyondCorp

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
DUO’s Platform
Devices
Personal Corporate
(Unmanaged) Devices (Managed) Devices Applications
Identity & Infrastructure
All Employees Cloud

Privileged Users On-premise

Contractors Datacenter
& Partners

Visibility Prevention Detection Remediation

Security & Access

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloudlock
Challenges organizations have regarding SaaS…

Users/Accounts Data Applications

 Who is doing what in  Do I have toxic and  How can I monitor app
my cloud applications? regulated data in the cloud? usage and risk?
 How do I detect account  Do I have data that is being  Do I have any 3rd party
compromises? shared inappropriately? connected apps?
 Are malicious insiders  How do I detect policy  How do I revoke risky apps?
extracting information? violations?

1. User and Entity 2. Cloud Data Loss 3. Cloud Apps

Behavior Analytics Prevention (DLP) Firewall
 Compromised account  Data Exposures  OAuth Discovery and Control
detection and Leakages  Shadow IT Detection
 Insider threats  Privacy and
Compliance Violations

All user behavior Anomalies Suspicious activities

True threat
Document created

113x than average

File downloaded
login failure 58% abnormal
behavior
Session terminated

Email sent
141x than average
data asset deletion 31% login
activities

File modified
227x than average
file downloads
11% admin
actions

Access denied Contextual analysis

Community intelligence
Centralized policies
Cloud vulnerability insight
Cyber research
Threat intelligence

PII Education General PHI PCI

 SSN/ID  Inappropriate  Email address  HIPAA  Credit card
numbers content  IP address  Health numbers
 Driver license  Student loan  Passwords/ identification  Bank account
numbers application login numbers numbers
 Passport information information (global)  SWIFT codes
numbers  FERPA  Medical
 Special EU compliance prescriptions
PII category!

For full list: https://docs.cloudlock.info/docs/eu-personal-identifiers

Does this look familiar?

• Event Analysis policies monitor UEBA activities.

• These are usually "Build-Your-Own" policies and can have various criteria to cover
various UEBA activities:
• Severity: up to the discretion of the admin creating or modifying the policy.
• Platform: choose to monitor all platforms or only certain platforms (e.g O365).
• White/Black Lists: countries can be white- or blacklisted depending on needs.
• Events: choose to monitor all possible user behavior or specific types of events (pulled from APIs).
• Velocity: monitor user activity across the globe when two separate events take place in separate, distant locations within
a short period of time.
• Users: choose to monitor all users within a domain (or monitoring scope) or specific users, groups and OUs.
• Whitelisted IPs: add a list of specific IP addresses that do not need to be monitored (e.g. internal VPN concentrators).
• Blacklisted IPs: add to the library of blacklisted IPs or specify certain IPs within that library that you want monitored. Can
be auto-populated with Cisco provided IP blacklist!

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
Solving: Data Content
and Sharing Tracking
• Checking uploaded and shared
documents for:
• Inappropriate content
• SSN/ID numbers
• Credit Card numbers
• Distance between login’s
• Medical ID numbers
• Documents sharing exposure

Cisco Public 225
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 227
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
Teleportation from Amsterdam
to Tel Aviv in 45 minutes?!

• The EU PII Policy matches personal identifiers from the twenty-seven countries of
the European Union.
• The policy monitors common identifiers associated with GDPR to better assist
customers with compliance in their own organizations.
• E.g.: Person Name, Drivers License, IBAN, License Plates, National ID, Etc.
• For full list: https://docs.cloudlock.info/docs/eu-personal-identifiers

BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
BRKSEC-3433 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stealthwatch Cloud
ETA / Enhanced Netflow Required
Crypto-compliance reporting
• Ensure quality encryption is being used
throughout the organization
• Query on various parameters like protocol,
algorithm, message authentication code
How do you get ETA telemetry from
(MAC), andthe
more
Public Cloud?

Cisco Cloud Services Router 1000V Series

• ESA: fully migrated to O365 Exchange Online with Email Security Appliances (in
future will migrate to CES).
• Cloudlock: used for Onedrive and Sharepoint, testing with Salesforce.
• Meraki MDM: migration at the moment.
• Umbrella DNS: used globally (rollout was 30 seconds), AnyConnect roaming client
rolled out in phases.
• Duo: rolled out within 3 months, much faster than previous solution.
• AMP4E: running on managed Mac and Windows endpoints.
• Firepower: used globally, with O365 bypass.
• And more!