Cisco Security

Assessments and POVs

GSSO Channel Engineering

Agenda
Partner Executed POV
POV Methodology
On-Prem Security Assessments:
• NGFW Threat Scan
• AMP for Endpoints
• Security Online Visibility
Assessment (SOVA)
• Email Security with AMP
Cloud Security Assessments:
• Email Security with AMP/Office
365 Threat Analyzer
• Umbrella
• Cloudlock
• Stealthwatch Cloud
Threat Hunting Workshops
Cyber Threat Response Clinics
© 2018 Cisco and/or its affiliates. All rights reserved. 2
Partner Executed POV
Well-established process to ensure success and drive partner profitability. The Fire Jumper program
builds competence with Cisco solutions and prepares partner SEs for POVs. Individual and partner
incentives and promotions help to migrate Cisco and competitive installed base.

Training
Training &
& Incentives
Incentives &
& POV
POV Partner
Partner
Enablement
Enablement Promotions
Promotions Delivery
Delivery Profitability
Profitability

1. Well defined POV program with

Fire Jumper trained partner SEs engage established Win Criteria
with customers and lead POVs 2. Best Practices Guides for repeatable
processes and increased Win Rate
3. Engagement with Channel and Direct
teams for opportunities

© 2018 Cisco and/or its affiliates. All rights reserved. 3

POV Methodology

Find
Find Presentation
Presentation Proof
Proof of
of
Opportunity
Opportunity &
& Demo
Demo Value
Value

• Win Criteria defined up-front to limit scope of POV

Proof
Proof of
of
Value
Value
• Data Collection Worksheet to properly prepare solution
configuration
• On-site delivery leveraging dCloud where available

• Customer facing meeting to deliver reports focused on

Cisco differentiating value
• Pre & Post POV form submission for individual incentives
© 2018 Cisco and/or its affiliates. All rights reserved. 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
On-Site POV Process

• Software Download
• Software Installation
• Bootstrap
• Licensing
• Initial Configuration
• Customer Report Generation
• Device Sanitization

Proof of Value: https://

community.cisco.com/t5/security-documents/product-proof-of-val
ue-pov/ta-p/3633986 © 2018 Cisco and/or its affiliates. All rights reserved. 6
 dCloud POV
• Pre-Configured & pre-licensed Manager
• Limited on-site deployment
• ASA or Firepower Appliance
• Optional Endpoint Kit

• Ensures consistency and saves time

• Eligible for Cisco Rewards incentive
• Coverage
• Firepower Services for ASA 5.4.1+
• Firepower Threat Defense 6.0.1+
• FTD 6.1+ for Firepower 4150 appliance
• FTD 6.2.1+ for Firepower 2K appliances
Proof of Value:
https://community.cisco.com/t5/security-documents/product-proof-of-valu
© 2018 Cisco and/or its affiliates. All rights reserved. 7
POV Hardware Sourcing (if required)

Find
Find Presentation
Presentation Proof
Proof of
of
Opportunity
Opportunity &
& Demo
Demo Value
Value

• POV hardware available through Cisco account team

POV
POV
Hardware
Hardware
• Primary use for strategic POVs with high performance
appliances (e.g. Firepower 4100 / 9300)
• Requires deal registration and SFDC opportunity
creation by Cisco Security AM
• Contact Cisco PDM or Security AM for support
© 2018 Cisco and/or its affiliates. All rights reserved. 8
Proof of Value
Deployment Options

© 2017 Cisco and/or its affiliates. All rights reserved. 9

 On-Site Sensor and FMC
• Build VMware ESXi server
Internet • Download and install FMC VM
• Add Licenses to FMC
• Update FTD Software

Firewall
• Place FTD on span or tap port
• Configure Policies:
• System
span / tap FTD • Health
Switch • Intrusion
• File
• Access Control

• Perform POV
FMC • Generate Risk Reports
Users Active • Sanitize (FTD, FMC)
VMware Risk
Directory
ESXi Reports
LAN
© 2018 Cisco and/or its affiliates. All rights reserved. 10
 On-Site Sensor and dCloud FMC
• Schedule dCloud Session
dCloud FMC • Download and install FMC VM
• Add Licenses to FMC
Risk
Reports • Update FTD Software
TCP 8443

Firewall
• Place FTD on span or tap port
• Internet Connection TCP 8443
• Configure Policies
span / tap
Switch
FTD • System
• Health
• Intrusion
• File
• Access Control
Optional: An Active
Directory 1-to-1 NAT
• Perform POV
configuration is required
Users Active for additional user and • Create Risk Reports
Directory hostname context sent to
dCloud. This is not a • Sanitize (FTD) FMC
LAN requirement for the POV.
© 2018 Cisco and/or its affiliates. All rights reserved. 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Why Do a Proof of Value?
• Benefits
• Can show customer how quickly we can scope, contain, and remediate a
threat.
• Can show how easy it is to deploy and maintain
• We usually surface at least one unknown infection previously
established in their environment and save them from an incident
•Risks
• Improper tuning and deployment can create performance headache
• Concurrent PoV with another vendor on the same machine can create a
resource conflict

© 2018 Cisco and/or its affiliates. All rights reserved. 13

Determining Success Criteria

• STAY AWAY FROM THE “DETECTION GAME”

• AMP is the answer to the question “what now”, not “would you detect this?”

• Review the Success Criteria

• Determine the end goal
• Remediating a threat?
• Forensic investigation?
• Disabling malware?
• Observing attacker behavior?

© 2018 Cisco and/or its affiliates. All rights reserved. 14

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Cisco Security Online Visibility Assessment

A free, 14-day risk assessment

Focused on common areas of security risk

Provides an immediately actionable, detailed report

© 2018 Cisco and/or its affiliates. All rights reserved. 16

Security Online Visibility Assessment
Deployment diagram
Core Switching Data Center Segment
Encrypted Private Tunnel

Security Online NetFlow

Visibility
Assessment
Cloud Collector
Accounting Segment
IPFIX

© 2018 Cisco and/or its affiliates. All rights reserved. 17

How to Set Up SOVA
• Visit the SOVA Briefcase on SalesConnect
https://salesconnect.cisco.com/#/program/PAGE-10733

• Watch training videos under “Core Assets”

Take the COLT exam.

• To request access to the SOVA portal, complete the

following: If you are a GSSO sales engineer, request
access from your SE manager. If you are a Cisco
Generalist or Cisco Partner, please email
sova-help@cisco.com to request access.

© 2018 Cisco and/or its affiliates. All rights reserved. 18

The Report
• Detailed results
• Can identify areas of
risk and active threats
• Provide actionable
intelligence to help you
adjust security policies
and guide purchase
decisions

© 2018 Cisco and/or its affiliates. All rights reserved. 19

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ESA Proof of Value
• POV Best Practices Guide:
https://community.cisco.com/t5/security-documents/product-proof-of-value-pov/
ta-p/3633986
• Need to export reports in PDF, CSV, or take screenshots for the customer
deliverables
• POV Guide provides some examples, but findings will vary for each customer.
• Analyze data collected & include most relevant information according to what
you see in the reports.
• Licensing: https://
community.cisco.com/t5/security-documents/cisco-security-licensing-and-softw
are-access/ta-p/3633739
© 2018 Cisco and/or its affiliates. All rights reserved. 21
POV Process
• Licensing
• Software Download
• Installation
• Initial Configuration
• Policy Settings
• Report Generation
• Device Sanitation

© 2018 Cisco and/or its affiliates. All rights reserved. 22

Threat Analyzer Tool for O365
Cisco Email Security
 Talos on Cisco Email Security
Protecting incoming email

Sender Reputation Filtering

Anti-Spam

Anti-Virus

Constant and Advanced Malware Protection (AMP)

integrated security
feeds Graymail Detection

Outbreak Filters

Real-Time URL Analysis

Incoming email Drop Rewrite Quarantine © 2015 Cisco and/or its affiliates. All rights reserved. 24
 What is the O365 Threat Analyzer Tool
• Free to use non-CES subscription tool that reports on threats
• Zero impact on customer environment
• Leverages full scanning capabilities of Cisco Email Security
• Reports on SPAM, Graymail and Malware
√
threats.

© 2015 Cisco and/or its affiliates. All rights reserved. 25

Cloud Email Security with Office 365

O365 – E3 Cisco Email Security w/O365

Anti-spam filters Anti-spam filters

Anti-virus protection Anti-virus protection*

Policy enforcement Policy enforcement

Disaster recovery Disaster recovery

Directory services Directory services

Advanced Threat Protection (Safe Links, Safe Attachments)* Graymail detection

Message tracking (limited) Outbreak Filters

Email encryption (cloud-based only) Message tracking

Data loss prevention Email encryption (cloud and on premise)

Advanced Malware Protection

*Anti-virus provided by O365 Detailed reporting

*Only with E5

Zero-day incident management

Data loss prevention

© 2015 Cisco and/or its affiliates. All rights reserved. 26
Sample
Report

© 2015 Cisco and/or its affiliates. All rights reserved. 27

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
POV Process

• Account/License Request
• Setup customer network/Identity
• Modify DNS
• Create Policies
• Customer Report Generation
• License Conversion
• Close

© 2018 Cisco and/or its affiliates. All rights reserved. 29

© 2018 Cisco and/or its affiliates. All rights reserved. 30
Partner Proof of Value
(PPoV) Console

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
What PPoV can do for you
With this tool, you can easily:

Provision 21-day customer trials

Track multiple customer trials from Which leads to:

an easy-to-use cloud-based console
More closed deals!
Extend trials for another 21 days

Request access to customer’s trial

Produce reports to show blocked attacks

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential 32
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Cloudlock addresses organizations’ most critical
cloud security use cases
Discover and Control

Compromised Data Exposures OAuth Discovery and

Accounts and Leakages Control

Privacy and
Insider Threats Shadow IT
Compliance Violations

User and Entity Cloud Data Loss

Apps Firewall
Behavior Analytics Prevention (DLP)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
 CASB – API Access (cloud to cloud)

Unmanaged
Users Public APIs

Unmanaged
Devices

Unmanaged
Network

Cisco NGFW / Umbrella

Managed Managed Managed

Users Devices Network

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Often, Cisco Cloudlock sells itself
without a Proof of Value (POV)
Many customers are convinced by:

Ease of Customer Analyst

deployment references validation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
https://get.cloudlock.com/product-security-assessment/
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Stealthwatch Cloud monitors on-premises
and cloud network traffic
Stealthwatch Cloud

Private network
Public cloud monitoring
monitoring

Public cloud monitoring On-premises network monitoring

Based on native telemetry, such as Based on IP metadata, such as

VPC Flow Logs NetFlow

Priced on number of flow logs Priced on number of endpoints

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
 Using modeling to detect security events
Dynamic Entity Modeling
Collect Input Perform Analysis Draw Conclusions

IP Meta Data Role What is the role of the device?

System Logs
What ports/protocols does the
Group
device continually access?
Security Events
Dynami
c Entity What connections does it
Passive DNS Consistency
continually make?
Modelin
External Intel g
Does it communicate internally only?
Rules
What countries does it talk to?
Vulnerability Scans
How much data does the device
Forecast
Config Changes normally send/receive?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
 https://
www.cisco.com/c/en/us/products/security/stealthwatch/stealthwatch-cloud-free-offer.html

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
https://salesconnect.cisco.com/open.html?c=120edf8b-c962-4c4c-91fc-09f7841e175d

© 2015 Cisco and/or its affiliates. All rights reserved. 42

Threat Hunting Workshops
• How to identify advanced threats that lurk in your environment
• Exposure to emerging threats and how should you respond
• How to regain resources and minutes by reducing time to remediate

• More details on the Security Community

• https://community.cisco.com/t5/security-documents/threat-hunting-workshop-o
verdrives/ta-p/3644075
• Request Tool (Internal or Partner):
• https://app.smartsheet.com/b/form/b1ca6054d01e40b68d22a323947cb8dd

© 2018 Cisco and/or its affiliates. All rights reserved. 43

Cyber Threat Response Clinics
• Includes Lecture/Video/Labs
• Up to 8 Modules
• Attendees can be Attackers and Defenders
• Delivered via dCloud
• Includes Comic Book and other marketing materials which can be
customized for partners and customers
• https://
community.cisco.com/t5/security-documents/cisco-cyber-threat-response-
ctr-clinic/ta-p/3610989

© 2018 Cisco and/or its affiliates. All rights reserved. 44