Cisco Defense Orchestrator Business Decision Maker Presentation Effective Security Policy Management Made Simple June 2016 Hello, my name is [insert your name] and I’ve been with Cisco for [insert number] years. [Provide introduction] I am very excited to talk with you about Cisco Defense Orchestrator and what it can do for your business. Let’s get started.
Maintaining an End-to-end Security Posture is Becoming Increasingly Complex Manage constant changes in security policy and rules Keep up with business needs Stay ahead of the latest security threats Do more with fewer resources We’ve heard from distributed businesses like yours that maintaining end-to-end security posture is becoming increasingly complex. “Plugging holes" in the proverbial security dam with point products doesn't work. Being reactive to security needs is no longer an option. Customers like you tell us they’re faced with challenges. Here are just a few examples. First, managing constant changes in security policy and rules is a challenge. Sometimes the workarounds created to give your team instant access or updates aren’t as secure as they should be or don’t get written into the proper policy. This opens you up to vulnerabilities. Keeping up with business needs is also challenging. As your business expands, you’ll constantly have more Cisco devices, policy requests and technologies to manage. It’s also super critical that your team stay ahead of the latest security threats. You’ll need some way to leverage NGFW functionality with Security Intelligence Feeds to help you get cutting-edge IPS and Advanced Malware Protection. Your team might not have the expertise or time to keep up. And lastly, you’re required to do more with fewer resources. On top of the increased workload, you are often expected to meet growing demands with a team that just isn’t getting any bigger. Overall, these challenges indicate you need an integrated security solution that is not only effective, but consistent and simpler to manage. You need a systematic way to up your security game and provide robust Cisco security policy management across all of your locations.
Does This Sound Familiar? My team is stretched thin. We just keep up with the policy-change requests that hit us every day. I want to add new next-generation tools to keep up with the latest threats, but I don’t have the knowledge, the time, or the resources to do it – it’s just too complicated. It’s a struggle for us to maintain consistent security as our company grows. [Presenter guidance: Get up close and personal with your audience. Use this opportunity to get your customer talking. Take notes and use these points to frame the rest of your conversation.] Do any of the following sound familiar? Perhaps you’re experiencing these challenges on your team: It’s complex to manage security policy across multiple layers, with multiple technologies that don’t always play nicely together. The need to figure out what works and what doesn’t, while maintaining uptime and protecting against breaches can be difficult to balance. You’ve barely got enough time and resources to keep up with the status quo, let alone think of ways to make it better or improve your strategy. It’s a lot to manage, and there’s no room for mistakes or downtime. The good news is, we have built a solution that addresses these kinds of challenges. Our solution is informed from the ground up with input from customers, and it’s their feedback that has helped us deliver a solution that meets core needs. Hopefully your needs, as well.
Cisco Defense Orchestrator Introducing Cisco Defense Orchestrator A cloud-based policy management solution for Cisco® security products I’d like to introduce Cisco Defense Orchestrator, a cloud-based policy management solution for Cisco security products.
Simple Efficient Effective Can manage rules, policies, applications, and branches easily Simplify next-generation capabilities Manage through templates and policy blocks (develop and validate once, apply wherever needed) Manage policy within and beyond the perimeter With Defense Orchestrator, you get a simple, efficient and effective solution that strengthens security posture across your entire Cisco security portfolio. You can streamline security policy management and next-gen defense, extend the reach of your resources and achieve better security without adding complexity. Most security tools add management complexity. This is one of the only tools that will actually reduce the complexity and improve your security at the same time. Let’s dive deeper into each one of these areas.
Helping Network Ops Get the Most from Advanced Security Solutions Cisco® ASA 5500-X Series and ASAv Firewalls Cisco ASA with FirePOWER™ Services and Firepower™ Next-Generation Firewalls OpenDNS® Umbrella Policy change management Scalable orchestration of changes Policy analysis and optimization Policy monitoring and reporting
Simple One of the key advantages of Cisco Defense Orchestrator is that it’s simple.
Streamline Policy Management and Next-Generation Defense Simplify Without Sacrificing Security Manage next-generation protection with ease Orchestrate security policy management from one place Set up security at a new branch – it’s as easy as copy and paste Today, making changes to your firewall can be a very long and complicated process. For many teams, deploying changes and making sure they are right is a painstaking effort that takes up a lot of time. You need a simpler way to manage security policy changes with confidence. Defense Orchestrator helps you streamline security policy management and next-gen defense as your business grows. We make it simple for your team to do their job without compromising or sacrificing the strength of your security solutions. With Cisco Defense Orchestrator, you can: Manage next-gen protection with ease Orchestrate security policy management from one place And set up security at a new branch – it’s as easy as copy and paste This is an easy way to maintain security both inside and beyond the perimeter without being an expert in every Cisco security solution. It accommodates the needs of a modern team that works around the world and needs to protect their operations every step of the way.
Manage Next-Generation Protection with Ease Defense Orchestrator enables you to manage policy for the ASA, ASAv, ASA with FirePOWER™ Services, Firepower NGFW, and OpenDNS® Umbrella through a single interface Using Defense Orchestrator means you don’t have to be an expert in every Cisco security device and service in order to leverage their capabilities. Defense Orchestrator makes it easy to take advantage of the next-gen capabilities these offerings deliver. With Defense Orchestrator, security policy for the ASA, ASA with FirePOWER Services and OpenDNS is managed through a single interface. Defense Orchestrator translates your rulesets into language recognized by each of those technologies, so that you don’t have to manage security policy for each tool separately. From one location, you can manage security policies across all of these Cisco security devices and services. And as you add more Cisco security products, you can still systematically maintain a strong security posture.
Orchestrate Security Policy Management from One Place Defense Orchestrator Helps You Manage All of Your Security Policy Change management: Get visibility into the impact of change on affected security services and devices Auditing: Gain policy awareness and identify issues Change Impact Modeling Object and Policy Analysis Cisco® Defense Orchestrator Import from offline Discover directly from device Device Onboarding Security Policy Management Reports Monitoring: Track policy implementation and activity across all affected security services and devices Optimization: Adjust security policy rule sets to optimize performance OOB Notifications Defense Orchestrator helps you orchestrate security policy management from one place. You can onboard Cisco devices across distributed locations securely, either online or offline. It’s easy and painless and your data is encrypted and secure every step of the way. Once your devices are connected, Defense Orchestrator helps you orchestrate all four aspects of security policy management – through change management, auditing, optimization and monitoring. In terms of Change Management, you get visibility to change impact across affected Cisco security services and devices. You can visualize and orchestrate how changes affect global security posture using change impact modeling. In terms of Auditing, you gain policy awareness and identify issues. You have the ability to compare and edit duplicate, unused, and inconsistent configurations by conducting object and policy analysis. In terms of Optimization, you can adjust Cisco security policy rulesets to optimize performance based on insights from change impact modeling. You can also easily apply revised policy configurations across all Cisco devices. And last, for Monitoring, you can track policy implementation and activity across all impacted Cisco security services and devices through aggregated reports and out-of-band notifications.
Set Up Security at a New Branch – It’s as Easy as Copy and Paste Build security policy templates that help you apply consistent security policy across all branches Security Policy Headquarters Branch Security Policy Template Branch x x New Branch With Defense Orchestrator, setting up security at a new branch is as easy as copy and paste. You can build security policy templates that help you apply consistent security policy across your entire business. The good news is, you don’t have to build your templates from scratch. We make creating security policy simple by giving you a place to start. [Click 1] With Defense Orchestrator, you can easily modify preconfigured security policy templates by simply selecting or de-selecting the parameter attributes you want to adjust. This provides a simple and dynamic way to achieve advanced protection. Instead of manually configuring each and every Cisco device, you can use a single standard template over and over that gets applied to your existing headquarters and branch locations. [Click 2] As your business expands, the security admin can apply the same security policy template to the new locations. With this one-to-many approach, you can simplify the overhead of setting up and managing several locations.
Efficient Another key value of Cisco Defense Orchestrator is that it helps your team be more efficient.
Extend the Reach of Your Resources Do More with Less Cloud-based solution accelerates your time to benefit and helps cut costs Get visibility into your policies across devices to address problems and prevent mistakes Eliminate the need for multiple tools by managing policy centrally As a cloud-based security policy management tool, Defense Orchestrator drive efficiency by extending the reach of your resources. It frees up time, so that your team can focus on security rather than the infrastructure, and it gives you the tools you need to do more with less. Defense Orchestrator enables you to do this in three ways: First, by aligning your resources where they’re best used. This means keeping your deep security experts at headquarters and scaling their expertise from a central location. There’s no need for them to travel to every single new branch thanks to cloud-delivered and standardized security policy. Second, by getting visibility into your policies across devices to address problems before they happen and prevent mistakes. Use your resources to get ahead of the curve and fix problems or address risks before they cause a catastrophe. It’s better to take preventative measures rather than dealing with the aftermath of a breach. And third, by eliminating the need for multiple tools by offering a way to manage your policy centrally. Defense Orchestrator enables you to manage security policy across your Cisco security technologies, saving you the time and effort needed to manually configure next-gen protection.
Defense Orchestrator Helps You Get the Most out of Your Team’s Time and Your Investments Create security policy templates that can be deployed by any member of your team Use simple search-based management to quickly see how policies are enforced across devices Gain automatic layer 7 protection – no need to apply manual updates Now, we understand the limitations on your team. You’re required to save money, cut redundancies, handle security issues and manage them with a lean team – the ‘do more with less’ philosophy. To meet these requirements, it’s critical to adopt a strategic approach to security policy management. Defense Orchestrator can help you achieve a strong security posture and allow you to use your team’s resources wisely. Here are just a few Defense Orchestrator features that help you get the most of your team’s time and investments. Security policy templates enable your entire business to use security templates that can be deployed by anyone in your business and scale to thousands of devices more quickly. Your experts can craft a standard security policy template that can be deployed by any member of your team, anywhere it’s needed. This frees up time for the security experts to focus on the strategic aspect of their jobs. Simple search-based management enables you to quickly see how policies are enforced across devices. This feature is especially important for gaining an initial understanding of existing security policies before modifying or creating new ones. For example, if you want to adjust access to Facebook, you would first take a look at existing rules around Facebook access. You can do this by simply typing in the domain name ‘Facebook’ into the Defense Orchestrator interface for instant results that show you all objects related to Facebook. Without simple search-based management, it could take hours or more to scroll through existing policies to get the insight you need prior to deploying new rules. And last, leverage automatic layer 7 protection without spending time applying manual updates. Defense Orchestrator uses Security Intelligence Feeds in the back-end to automatically update IPS and AMP rules. You don’t have to worry if someone from your security team goes on vacation or gets sick – you can rest assured that automatic intrusion prevention and malware protection will keep your security up-to-date.
Effective Now we’ll look into the details of how Cisco Defense Orchestrator helps your team be more effective when it comes to managing security policy across your business.
Achieve Better Security Without Adding Complexity Close the Gaps to Strengthen Security Posture Design and deploy policy uniformly Uncover and remediate unplanned changes Extend protection to the application layer Is it possible to enhance your security and, at the same time, reduce complexity? Believe it or not, with Defense Orchestrator, you can. Defense Orchestrator helps you close gaps to strengthen your security posture by enabling you to design and deploy policy uniformly, uncover and remediate unplanned changes, and extend protection to the application layer. Now let’s dive a bit deeper into each one of those benefits.
Design and Deploy Policy Uniformly Improve Your Change Management Approach with Defense Orchestrator Apply policy changes consistently Eliminate unnecessary policy variations Rest assured that the right policies are applied when new devices are set up In order for security policy to be most effective, it first needs to be designed and deployed uniformly. Defense Orchestrator takes the pain out of ensuring proper Change Management. With a cloud-based tool, you can ensure configuration consistency and compliance with security policy templates. This means when you make a change in one place, you can propagate it everywhere it’s needed so that you don’t have any holes in your security armor. You can apply policy changes consistently, eliminate unnecessary policy variations and ensure the right policies are applied to new devices. By using Defense Orchestrator to drive a standard security policy approach, you’re also better prepared to handle audits and other compliance requirements.
Uncover and Remediate Problems Respond to Issues Quickly and Systematically Identify issues easily such as duplicate, unused, or inconsistent configurations, using object and policy analysis Respond more quickly to potential risks by receiving out-of-band change notifications Validate that the right changes went through in real time with cloud-based reporting ! It’s pretty common that issues arise on an ad hoc basis, or when a breach happens. With Defense Orchestrator, you can uncover and remediate problems in systematically and proactively. With Defense Orchestrator: You can respond more quickly to potential risks by receiving out-of-band change notifications. With this, you’ll know what was changed where and when. You can identify issues easily like duplicate, unused or inconsistent configurations, using object and policy analysis. Identifying unused objects has a significant impact on the effectiveness of your security system because it affects performance. Unused objects, though unused, are still loaded into the firewall memory. This brings your network throughput down and slows the performance of your security system. By staying on top of firewall hygiene, you system can be both more effective and more efficient. And lastly, you can validate that the right changes went through in real time with cloud-based reporting, which gives you the ability to enforce security policy change management. You can see right away if your policies are working.
Extend Protection to the Application Layer Gain layer 7 protection and stay secure through automatic Security Intelligence Feed updates Manage next-generation security down to the object level Track policy effectiveness with reports on destinations, categories, attacks, and risks ! Defense Orchestrator can also help you extend protection to the application layer across all of your locations – even beyond the perimeter. Using Defense Orchestrator to manage security policy across your Cisco security next-gen technologies, you can gain automatic layer 7 protection. You don’t have to rely on your team knowing what dials to turn on and off or what configurations to tweak. Automatic updates informed by Security Intelligence Feeds help you achieve advanced protection without deep expertise or precise fine-tuning. Defense Orchestrator enables you to Manage next-gen security down to the object level using object and policy analysis. You can compare new and existing security policy rules to ensure they are in-sync and not in conflict before deploying new policy. Let’s look at an example of how this would work. Let’s say a company has a problem with their employees visiting a gambling site called ‘draftkings.com.’ As you know, gambling sites are a known risk because they’re riddled with malware. The security admin can create a specific object that not only blocks traffic to gambling sites, but also blocks specific sites with the ‘drafkings.com’ domain name. Using object and policy analysis, the security admin can ensure the new object will work as intended and won’t be in conflict with existing objects. With Defense Orchestrator, you can also track policy effectiveness using reports on top destinations, categories, attacks and risks. Reports aggregate information across devices so that your security admin has visibility into top sites being visited, time-of-day traffic patterns, site reputation, site access methods, and so on. Based on the aggregated reports, your security team can analyze the effectiveness of existing policies and determine what new or modified rules need to be implemented to better secure and optimize system performance. In the draftkings.com example, the security admin would be able to use the reports as another method to ensure their policy was working. This means draftkings.com should no longer be showing up on the Top Destinations report. Here’s another example focused on the application layer: let’s say an existing policy blocks all instant messaging applications, like Google Chat, Yahoo Chat, AOL Chat, Facebook Messenger, but allows for Google Talk because your team has a business case for using that specific instant messaging application. If the reports show Google Chat is still being used, then your team will know that something must to be done to address the broken policy. This is the type of must-know, application-level security policy details that Defense Orchestrator can help you manage. [Note for presenter: insight into users is not available at this time.]
Use Cases Now let’s check out Defense Orchestrator in action. We’ll share a couple of use cases where Defense Orchestrator is providing simple, efficient and effective policy management.
Use Case: National Retail Company with Over 2,500 Stores Business challenge Enable enterprise-wide policy management Protect regional store, employees, and customers Support expedited deployment times Be scalable Cisco® Defense Orchestrator helps Discover and analyze current policies Develop policy standard Streamline deployment Push policy changes from a single location In this case, we are working with a retail organization that has a national footprint of over 2,500 retail stores. Their primary goal is to push internet out each store to reduce the ongoing telco costs incurred. Here are a few of their concerns: This project introduces new entry points into the network. They need a solution that will directly protect the regional store, employees and clients. This model also introduces a bug challenge in how they manage solid security policy structure enterprise wide. They want to be able to report against location Internet usage to identify they use adheres to business conduct policies. Their deployment timeline is key to the project. The longer it takes, the more cost incurred due to telco charges. They need a solution that presents the tools to expedite the schedule. They also need a solution that scales to meet future growth they will have due to future acquisition or mergers. Here’s the solution: The proposed solutions are the ASA with integrated FirePOWER, leveraging Defense Orchestrator as their policy management solution. The engagement happens in phases: The client is able to use Defense Orchestrator to start with discovering and analyzing the current policy structure. We are working with them to help model a configuration that adheres to their corporate policy standard. Leveraging our template feature, they can make variable changes per site for a streamlined and quick deployment. Post integration, the client can push changes to policy across both ASA platforms as well as FirePOWER enterprise wide. Once fully-integrated, management will have the visibility needed around internet usage to ensure it is for business purposes.
Cisco® Defense Orchestrator helps Use Case: National Design and Construction Firm Upgrading to NGFWs and Looking to Optimize Security Posture Business challenge New security objectives requiring next-generation capabilities Policy variation Lean staff Lots of remote users Moving from CapEx to OpEx Cisco® Defense Orchestrator helps Discover and analyze current policies Resolve object and rule issues Model a policy configuration Adopt an OpEx model and gain NGFW capabilities In this case, a national design and construction firm was going to upgrade their legacy ASAs purely due to the fact they were end of life/support. They knew they needed to up their game as it relates to security and focus on the application layer as well as the many egress points. Here are a few of their concerns: They want to ensure that they can enter the NGFW world with a solid foundation, but they really don’ know where to start. Policy sprawl has been an issue due to years of multiple admins and consultants, so they need to tighten down what’s in place. They run a very lean staff with everyone wearing multiple hats. They need to ensure that they can centralize management and bottom line – make it simple. They need to ensure they protect the egress points. They have accumulated a decent base of remote users and need to provide them the same level of security as someone sitting behind the firewall. They need to be able to produce basic reports on potential threats and internet usage. They have a financial objective to move away from Capex to an Opex model, as much as they can. Here’s the solution: The proposed solutions are the ASA with integrated FirePOWER leveraging Defense Orchestrator as their policy management solution. OpenDNS is phase 2 for their remote staff. We are working with their firm to optimize their security, while enabling them to support next-generation capabilities. The client purchased firewalls that we are helping them set up and once they have a solid state in place they will be exploring NGFW features. The engagement happens in phases: The client is able to use Defense Orchestrator to start with discovering and analyzing the current policy structure. We are working with them to resolve some object and rule issues of which they are able to write back directly to the ASA. We are working with them to help model a configuration that adheres to their corporate policy standard. Post integration, the client can push changes to policy across the ASA and FirePOWER modules. In the future when OpenDNS is integrated, they will be able to apply policy directly to this platform, as well from Defense Orchestrator. Once fully-integrated, management will have the visibility needed around internet usage to ensure it is for business purposes.
Don’t Take It from Us – Here’s What Our Customers Are Saying “I think that this is going to help drive significant value to our . . . business, specifically helping reduce time of deployment and decrease cost structures.” — VP of IT at Financial MSP “I’m pretty excited. . . . This will help me sleep at night. . . . We are trying to get our firewalls and configs to a standard . . . and it’s so daunting . . . [Defense Orchestrator] will help out a lot.” — Network Operations Manager Don’t take it from us – here’s what our customers are saying. Defense Orchestrator is making all the difference. It’s reducing time and cost requirements, enabling simpler security policy management and providing peace of mind.
Defense Orchestrator: Security Policy Management Made Simple, Efficient, and Effective Streamline security policy management and next-generation defense Efficient Extend the reach of your resources Effective Achieve better security without adding complexity With Defense Orchestrator, you get a simple, efficient and effective solution that strengthens security posture across your entire Cisco security portfolio. You can streamline security policy management and next-gen defense, extend the reach of your resources and achieve better security without adding complexity. Most security tools add management complexity. This is one of the only tools that will actually reduce the complexity and improve your security at the same time.
Get Started Today Discover more about Cisco® Defense Orchestrator www.cisco.com/go/cdo Schedule a demo and proof of value with our team cdosales@cisco.com Let’s get started now. Be sure to check out our page and share details about Defense Orchestrator with your team. We’d love to set up time with you to run a demo and allow our technical team to hold a proof of value to discuss details and show what Defense Orchestrator can do for your business. We look forward to helping you provide a robust security across your business in a systematic and simple way through Cisco Defense Orchestrator. Thank you for your time.
Thank you for your time.