ISE Training

 

 

Training Partners

 

Customers or Channel Partners needing specific or extensive training that you cannot find in our Community or below should consider contacting one of our global training partners to fulfill your needs via the Cisco Learning Locator.

 

 

Channel Partners

 

Cisco Channel Partners will find in-depth training, VT content and Labs available at ISE Partner Training [partner designation required] and in Cisco SalesConnect.

 

 

Product Training

 

Getting Started with ISE

DNA Software Demo Series [Replays] for ISE Wired, Wireless, Group-based Policy. Live 1st & 3rd Wednesdays @ 11am PST

CiscoISE @ YouTube

TechWiseTV: Inside Cisco ISE

 

Network Node

Watch and learn from katmcnam Cisco Consulting Systems Engineer (CSE), as she configures and integrates ISE 2.2 with Cisco wired, wireless and security products for a complete secure access with rapid threat containment solution! She shows you how to configure Identity Services Engine (ISE) 2.2, Active Directory (AD), Cisco Switch, Wireless Lan Controller (WLC), FirePower Management Center (FMC), Adaptive Security Appliance (ASA), Web Security Appliance (WSA), Mobility Services Engine (MSE), Stealthwatch, Stealthwatch Flow Collector, and Splunk.

 

1.1 - ISE Lab Overview

1.2 - Configuring Server 2012 - AD, DNS, DHCP, CA, Certificate Templates, GPO

1.3 - Initial Configuration of ISE

1.4 - Initial Configuration of FTD, CSR, and ASAv

1.5 - Switch Configuration

1.6 - Profiling Fun!

1.7 - The Active Directory Probe

1.8 - Wired 802.1x Configuration

1.9 - WLC Installation and Setup

1.10 - Wireless SSID Creation with ISE 2.2

1.12 - Hotspot and Self Registering Guest Setup

1.13 - BYOD Configuration

1.14 - AMP For Endpoints Overview and Integration with ISE

1.15 - TACACS+ for WLC

1.16 - TACACS+ for ASA

1.17 - TACACS+ for IOS

1.18 - ISE 2.2 Application Visibility and Posture

1.19 - Prime Infrastructure and ISE

1.20 - Firepower & ISE integration and Rapid Threat Containment

1.21 - ISE & WSA Integration

 

 

We are beginning to offer videos on demand directly to our customers and partners on the Cisco Communities site and our YouTube channel for ISE. These are just a sample of what you can find.

 

TopicDate

ISE 2.2

ISE Setup for Wireless Intro - YouTubeJanuary 2017
ISE Setup For Wireless - Self-Reg Guest in 5 minutes - YouTubeJanuary 2017
ISE Setup For Wireless - Hotspot Guest in under 5 minutes - YouTubeJanuary 2017
ISE Setup For Wireless - Sponsored Guest in 5 minutes - YouTubeJanuary 2017
ISE Setup For Wireless - BYOD Single SSID in 5 minutes - YouTubeJanuary 2017
ISE Setup For Wireless - BYOD Dual SSID in 5 minutes - YouTubeJanuary 2017
ISE Setup For Wireless - Secure Access DO1X in 5 minutes - YouTubeJanuary 2017

ISE 2.1

ISE 2.1: Guest Access Training (Foundation) PDFAugust 2016
ISE 2.1: pxGrid Training (Foundation) PDFAugust 2016
ISE 2.1 Chromebook BYODSeptember 2016
ISE 2.1 What's New:  Streamlined Visibility WizardJune 2016
ISE 2.1 What's New: Context VisibilityJune 2016
ISE 2.1 What's New: Easy ConnectJune 2016
ISE 2.1 Rapid Threat Containment (RTC) with Firepower Management Center (FMC) 6.1June 2016
ISE 2.1 Threat-Centric NAC (TC-NAC) with QualysJune 2016

ISE 2.0

How to Configure Central Web Auth with Meraki Wireless and ISEMay 2016
Cisco ISE with WLC Setup VideoApril 2016
ISE & MSE Location Based Services Lab Video

 

 

Cisco Live

 

Our Technical Marketing Engineers (TMEs) present to customers and partners on many topics at our Cisco Live conferences around the world every year. We highly recommend attending Cisco Live in your part of the world for an incredible learning experience! But if you cannot make it in person, most of the sessions are still made available to you for free on the Cisco Live site. We have consolidated the ISE-related product and solution topics for you below!

 

 

2017 Cisco Live Cancun

November 6-10, 2017

Topic

 

Matt Robertson, Technical Marketing Engineer , Cisco

Recent trends have led to the erosion of the security perimeter and attackers are gaining operational footprints on the network interior. This session provides an overview of how to take back control by implementing visibility and enforcement on the network interior. This session will describe how to gain visibility i to devices and user activity leveraging the Cisco Identity Services Engine and Cisco Stealthwatch, including the identification of malware leveraging the Encrypted Traffic Analytics solution. Effective methodologies of designing and implementing policy using Stealthwatch and TrustSec will be discussed. Design and operational best practices in establishing a security monitoring program using the Stealthwatch System will be presented. Finally, accelerated response with Rapid Threat Containment with Stealthwatch and ISE will be discussed. The target audience for this session are network and security administrators and analysts interested in learning how to incorporate visibility and rapid response as a component of their security operations center.

Advanced Security Integration, Tips & Tricks - BRKSEC-2078

 

Aaron Woland, Sr. Secure Access Engineer , Cisco

You only use one security product, right? Most likely not. The Cisco security ecosystem is filled with powerful technology, often referred to as “smart tools for smart people”. With technologies, such as STIX, TAXII, pxGrid, and a world of open API’s - there are so many integrations possible. What is the best way to share context? How can we best leverage the integrations with third party vulnerability scanners and threat intelligence services? What about Rapid Threat Containment and Threat-Centric NAC (TC-NAC)? Advanced Security Integration, Tips & Tricks is a spin-off from the long running Advanced ISE Services, Tips and Tricks session and is all new for 2018. We will examine using ISE for context sharing as part of the Rapid Threat Containment solution with a strong focus on deploying pxGrid and Identity Sharing. Leveraging ISE to provide other systems with the identities of users on the network for identity based policy is a major use-case and focus of the ISE product, and will be covered in depth. Integrations details, tips, tricks and best practices from the field will be covered to include Stealthwatch, Firepower Management Center (FMC), the Cisco Web Security Appliance (WSA), AnyConnect Network Visibility Module, Splunk, Rapid7 Nexpose, Nessus VA, Cognitive Threat Analytics, and many more. We will not just focus on how to do the integration, but also what value each integration can bring.

 

 

David Iacobacci, Member of Technical Staff , Cisco

This session will illustrate how Cisco IT deployed Identity Services Engine and TrustSec to solve real world business and security problems. Today, access for wireless, wired, guest and remote access VPN is managed for over 440 sites worldwide, and over one million endpoints. The session will share Cisco IT efforts on wired 802.1x, Security Group Tagging (SGT), Device Posture and Integration with Mobile Device Management (MDM), Quarantine, and the use of PxGrid data to incorporate other products such as WSA's and Stealthwatch. The session will also include a brief overview on how Cisco IT uses Splunk for data analysis, reporting, and troubleshooting. Cisco IT will be sharing actual examples and metrics from their deployment, making this session ideal for mid-level technical IT professionals, project managers, and decision makers who are looking to, or are in the process of, deploying a large scale ISE solution.

 

Mark Bernard, CSE , Cisco

This technical breakout is designed for CCIE Security Candidates that are getting ready to study for their lab exam. The main objective on this breakout is to cover some of the core topics of Identity Management, Information Exchange, and Access Control. The topics that will be covered will closely follow the topics in the CCIE lab version 5 Blueprint to include the following: How to install, implement, and troubleshoot various personas of ISE in a multinode deployment. How to troubleshoot network access device (NAD), ISE, and ACS configuration for AAA. Implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE. Verify, and troubleshoot profiling and posture assessment with ISE. Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure.

 

 

2017 Cisco Live Las Vegas

June 25 – 29, 2017

TopicVideoSlides

DEVNET-1010 - Using Cisco pxGrid for Security Platform Integration (2017 Las Vegas)

Brian Gonsalves - Sr. Manager Product & Business Development, Cisco

Nancy Cam-Winget - Distinguished Engineer, Cisco

Learn about the Cisco Platform Exchange Grid (pxGrid) publish/subscribe/query information exchange framework that enables multi-vendor, cross-platform network system collaboration among IT infrastructure such as security monitoring and detection systems, network policy platforms, identity and access management platforms, and virtually any other IT operations platform. This session will cover pxGrid architecture, integration use-cases, and how ecosystem partners can integrate with Cisco Identity Services Engine (ISE) and other Cisco security platforms using the pxGrid SDK. This session will cover: Functional and architectural basics of Cisco Platform Exchange Grid (pxGrid) for information exchange framework for creating integration between DevNet partner platforms and Cisco security products. Integration use-cases such as utilizing pxGrid for executing threat response actions on the network and using identity, endpoint device and user access privilege context to enhance our DevNet partners analytics, forensics and reporting.

VideoSlides

PSODGT-1077 - Secure Data Center, WAN with FirePower services (AMP, IPS,URL), and Access with ISE and AnyConnect from multi vector attacks through Cisco ONE Software (2017 Las Vegas)

William Young - Security Solutions Architect, Cisco

Pooja Kapoor - Senior Manager, Product Management, Cisco

Security made Simple - Network buyers can now minimize the time spent in figuring what security features to buy and deploy with the network assets. With Cisco ONE Advanced Security offers they can now purchase & manage security with infrastructure software to protect assets across Data Center, WAN and Access. It includes features like threat defense with FirePOWER services, Policy control with ISE Plus, ISE Apex and AnyConnect Apex; Join us to learn about Cisco ONE advanced security offers

VideoSlides

CCS-2001 - Cisco Secure Hospital (2017 Las Vegas)

Marvin Dsouza - Systems Engineer, Cisco

Larry Gress - AM, Cisco

Tyler Palmer - Network Architect, LAWRENCE MEMORIAL HOSPITAL

Lawrence Memorial Hospital has had some business issues related to PCI compliance and a need to modernize enterprise security and infrastructure. Their roadmap over the course of this year is to leverage Cisco ACI, ISE, ASR and other technologies to make their network more agile while securing it and giving them visibility and control.

VideoSlides

BRKEWN-2005 - Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD (2017 Las Vegas)

Kanu Gupta - Technical Marketing Engineer, Cisco

Learn how to design a secure wireless networks from A to Z. In this session we will cover some of the major threats associated with wireless networks and the tools we have to mitigate and prevent them, such as rogue AP detection, wIPS and spectrum intelligence. We will also take a look at the principles of secured wireless networks (encryption, 802.1X, guest access, etc.) and will dive into the latest identity services available to address different kinds of devices (laptops, tablets, smartphones, etc.) and users (employees, guests, contractors, etc.). Prerequisites: knowledge of 802.11 and 802.1X fundamentals is recommended.

VideoSlides

BRKCOC-2018 - Inside Cisco IT: How Cisco Deployed ISE and TrustSec throughout the Enterprise (2017 Las Vegas)

Bassem Khalife - Member of Technical Staff, Cisco

David Iacobacci - Member of Technical Staff, Cisco

This session will illustrate how Cisco IT deployed Identity Services Engine and TrustSec to solve real world business and security problems. Today, access for wireless, wired, guest and remote access VPN is managed for over 440 sites worldwide, and over 1 million endpoints. The session will share Cisco IT efforts on wired 802.1x, Security Group Tagging (SGT), Device Posture and Integration with Mobile Device Management (MDM), Quarantine, and the use of PxGrid data to incorporate other products such as WSA's and Stealthwatch. The session will also include a brief overview on how Cisco IT uses Splunk for data analysis, reporting, and troubleshooting. Cisco IT will be sharing actual examples and metrics from their deployment, making this session ideal for mid-level technical IT professionals, project managers, and decision makers who are looking to, or are in the process of, deploying a large scale ISE solution.

VideoSlides

BRKSEC-2026 - Building Network Security Policy Through Data Intelligence (2017 Las Vegas)

Darrin Miller - Distinguished Technical Marketing Engineer, Cisco

Matthew Robertson - Technical Marketing Engineer, Cisco

Recent attacks have demonstrated it has become necessary to implement security policies inside the network. This session leverages the foundation of the Cisco network and the building blocks of Security Group Tags (SGT) and NetFlow together with Cisco Identity Services Engine (ISE) and Cisco StealthWatch to design and build effective security policy to secure the network interior. Using these technologies the session will explore how to transform the network infrastructure to protect critical assets and to limit the movement of attackers inside the networks: effectively improving security posture and the ability to respond to attacks. This session will cover design and deployment scenarios, use cases, best practices and configuration examples as well as how to monitor and troubleshoot the deployment. The target audience for this session are network security administrators and analysts interested in learning this novel approach to network security.

VideoSlides

BRKSEC-2039 - Cisco Medical Device NAC (2017 Las Vegas)

Tim Lovelace - Systems Engineer, Cisco

Mark Bernard - CSE, Cisco

Healthcare customers have many security challenges that Medical NAC can help address. Lack of visibility of medical devices accessing their network make it impossible to implement device segmentation. This session explains how customers can leverage Cisco ISE and Cisco StealthWatch to identify and classify most devices as well as users accessing the network. Both clinical and non-clinical devices are accessing the same network. A breach could compromise patient safety as well as protected health information. Effective segmentation of clinical and non-clinical devices with Cisco TrustSec software-defined segmentation can protect patients from security threats. We will first explain Medical Device NAC and the challenges of securing medical devices. This includes secure authentication for medical devices to include 802.1x, Web Portal and MAC authentication methods. Next we discuss how ISE profiles medical devices using the following probes: Radius; SNMP; DHCP; HTTP; DNS; NMAP and Netflow. We will spend time explaining Cisco ISE medical NAC profile Library and how to install this library into ISE. Next, we will spend time talking about how to utilize Cisco StealthWatch to accurately baseline medical device behavior using the flow sensor and Packetwatch. Cisco StealthWatch can be leveraged to understand medical device baselines and port usage in order to more accurately profile devices to create policy. Finally we will summarize the steps and checklists that customers can use on their networks to move towards Medical Device Segmentation using Cisco Medical Device NAC.

VideoSlides

BRKSEC-2047 - Operationalizing Advanced Threat Solutions (2017 Las Vegas)

Karel Simek - Technical Marketing Engineer, Cisco

The need for threat detection solutions on the network interior is apparent, however, unless they are effectively operationalized network interiors remain unprotected and attackers can still wreck havoc on an organization. This session will leverage the experience gathered from past years working closely with selected companies and cover day-to-day threat hunting work with technologies such as AMP, CTA, StealthWatch, ISE and ThreatGrid. This session will then present workflows and experiences that evolved from incident response environments heavily optimized towards much faster response times. Answers such as "What risk are we undertaking by not resolving this right now?" need to be given very quickly in order to prioritize breaches with other security agendas and avoid data leaks. As there is large amount of available data and security intelligence in today's networks, we show which information (both local and global) is most useful at each step and where technology can prevent overburden and provide good coverage of latest malware - both known and unknown. The target audience for this session are network and security administrators and analysts interested in learning how to best operationalize components of the Cisco Advanced Threat portfolio as components of their breach mitigation strategies and security operations centers.

VideoSlides

BRKSEC-2059 - Deploying ISE in a Dynamic Environment (2017 Las Vegas)

Clark Gambrel - TECHNICAL LEADER.ENGINEERING, Cisco

Managing a secure, yet flexible network in today's network access environments can be very challenging. Network access in areas like universities, hospitals and airports host a broad array of devices, both privately owned and corporately managed. With the increasing importance of the Internet of Things, the variety of devices that need to connect to these public networks is rapidly increasing. Cisco Identity Services Engine (ISE) plays an integral role in controlling the access to these dynamic networks. This session will share lessons learned from an ISE escalation engineer in troubleshooting complex customer environments.

VideoSlides

BRKSEC-2134 - Intermediate - Building a Highly Secure Internet Edge (2017 Las Vegas)

Michal Garcarz - Engineering Lead, Cisco

The Internet Edge is a critical functional module of the Enterprise network, acting as a well-defined yet increasingly complex construct, providing a secure perimeter between the Internet Peering, Internal Network, DMZs, Remote Sites and Mobile Users. Thus, in order to achieve a highly secure demarcation, control and threat protection of the traffic traversing the Internet Edge, we will employ a rich set of Cisco Security technologies. ASA Firewall, FirePOWER Next-Generation Firewall and Next-Generation IPS, unified Firepower Threat Defense, Web Security Appliance, Umbrella, Advanced Malware Protection and ThreatGrid, Identity Services Engine with pxGrid, Cisco AnyConnect Secure Mobility, as well as Cyber Threat Defense with Stealthwatch, Cognitive CTA and Stealthwatch Learning Networks. We will analyze most interesting scenarios by identifying common traffic patterns involving Inside, DMZ, Remote and Guest Users, in order to achieve superior visibility, combat threats and deliver meaningful ways to provide attack mitigation mechanisms in a systematic step-by-step fashion. This Intermediate Session requires technical knowledge and experience and is recommended for Security Engineers, Architects, Officers and Incident Responders responsible for securing the Enterprise IT. It is also designed to be a platform to grasp new ideas of Cisco recent and upcoming innovations. It is recommended to get the most of the Cisco Live! Security Track experience by attending more advanced sessions on specific subjects of interest as a follow up to this breakout.

VideoSlides

BRKSEC-2203 -   Enabling Software-Defined Segmentation with TrustSec (2017 Las Vegas)

Fay Lee - Technical Marketing Engineer, Cisco

Network segmentation is essential for protecting critical business assets, but traditional segmentation approaches involve operational complexity and can be difficult to introduce to existing environments gracefully. Balancing these demands for agility and security requires a new approach. This session will cover to use software-defined segmentation, allowing segmentation patterns to be implemented and changed without reconfiguring network devices or redesigning the network. This session will cover how to implement segmentation based upon endpoint roles, called security groups, instead of endpoint IP addresses. IP addresses do not indicate the role of a system, the type of application a server hosts, the purpose of an IoT device or the threat-state of a system, but a TrustSec Security Group can denote any of these roles. By classifying systems using logical groups, group-based policies can be used to simplify management of security rules in firewalls, VPN appliance, Web Security Appliances, routers, switches Wireless LAN Controllers and Access Points. The session is targeted at network and security architects who want to know more about group-based policies and software-defined segmentation.

Video

Slides

Notes

DEVNET-2433 - DevNet Workshop-Learning Cisco Platform Exchange Grid (pxGrid) Dynamic Topics (2017 Las Vegas)

Gajveer Singh - Developer, Cisco

Syam Appala - Principal Engineer, Cisco

Cisco platform Exchange Grid (pxGrid) is a framework for sharing topic information between pxGrid clients. This session will illustrate this concept by using the pxGrid SDK to create a pxGrid publisher and a pxGrid subscriber and having the subscriber consume inventory Information from a published Auction topic. The developer should have some familiarity with Cisco Identity Services Engine (ISE) and Cisco platform Exchange Grid (pxGrid).Taking place in the DEVNET Zone.

VideoSlides

BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec (2017 Las Vegas)

Imran Bashir - Technical Marketing Engineer, Cisco

Tomorrow's requirement to network the Internet of Things requires an access control architecture that contextually regulates who and what is allowed onto the network. Identity Service Engines (ISE) plays a central role in providing network access control for Wired, Wireless and VPN networks. In addition, ISE is the policy control point for TrustSec, which controls access from the network edge to resources. This session will focus on: 1. Emerging business requirements and ISE services such as: Guest, profiling, posture, BYOD and MDM. 2. Secure policy based access control including 802.1X, MAB, Web Authentication, and certificates/PKI. The session will show you how to expand policy decisions to include contextual information gathered from profiling, posture assessment, location, and external data stores such as AD and LDAP. 3. Enforcing network access policy through conventional means such as VLANs and ACLS and emerging technologies such as TrustSec. Cisco TrustSec technology is used to segment the campus and datacenter to increase security and drive down the operational expenses associated with managing complex ACL firewall rule tables and ACLs lists.   This session is an introduction to the following advanced sessions: BRKSEC-3699; BRKSEC-3698; BRKSEC-3690; TECSEC-3691

VideoSlides

BRKNMS-2800 - Putting the Puzzle Together: The Architecture of Cisco Network Management Tools (2017 Las Vegas)

Lewis Hickman - CSE, Cisco

Jennifer Valentine - Systems Engineer, Cisco

Anyone who has tried to wrap their heads around successfully managing and operating a network has come up against the vast expanse of tools, each with its own functionality. Developing a network management architecture is as critical as designing your infrastructure's architecture. As we evaluate tools and make decisions to efficiently manage our networks, it becomes clear as mud. Which tool will accomplish what job? Where does it fit in the overall scheme of your arsenal of tools? Cisco offers many solutions that touch network management; some sit at a higher level of automation and orchestration, such as APIC-EM, while others drill down into the nuts and bolts of the enterprise, such as Prime Infrastructure, Identity Services Engine, StealthWatch, and Network Analysis Module. This session will dive into a view of tool offerings, how and why they exist for the required job, and which can work together to move towards an overall network management strategy.

VideoSlides

BRKCRS-2893 -   Choice of Segmentation and Group based Policies for Enterprise Networks (2017 Las Vegas)

Hariprasad Holla - Technical Marketing Engineer, Cisco

Network segmentation is an idea of splitting a network physically and/or logically with the goal of controlling network traffic based on business requirements. There are two major motivators for network segmentation: Manageability and Security. The former helps limit broadcasts, enhance user and application experience, the later is centered around limiting the scope of cyber attacks. Network segmentation for traffic management is far more static compared to segmentation for security. Over the years various solutions have been proposed and implemented to achieve both. This intermediate session focusses on those various options for user centric network segmentation and group based policies for Enterprise Networks. IP based polices, TrustSec and Campus Fabric solutions are some of the key topics that will be covered during the session. The target audience for this session is security and network administrators and architects.

VideoSlides

BRKSEC-3014 - Security Monitoring with StealthWatch: The detailed walkthrough (2017 Las Vegas)

Matthew Robertson - Technical Marketing Engineer, Cisco

The realities of insider threats and determined attackers have made it necessary to implement security technologies on the network interior. This session will perform a detailed walkthrough of the Cisco StealthWatch System and its use for monitoring the network interior to detect and respond to threats. This session will deep dive into data analytics with Stealthwatch: where data comes from, how it is processed and how to use it. This session will explore the analytic and detection capabilities of StealthWatch and how to best leverage the alarms and alerts as well as to drive an investigation using NetFlow data and StealthWatch to increase the security posture of an organization. The target audience for this session are network and security administrators and analysts interested in learning how to best leverage NetFlow, ISE, and StealthWatch as a component of their security operations centre.

VideoSlides

BRKCCIE-3222 - Identity Management and Access Control for CCIE Candidates (2017 Las Vegas)

Mark Bernard - CSE, Cisco

This technical breakout is designed for CCIE Security Candidates that are getting ready to study for their lab exam. The main objective on this breakout is to cover some of the core topics of Identity Management, Information Exchange, and Access Control. The topics that will be covered will closely follow the topics in the CCIE lab version 5 Blueprint to include the following: How to install, implement, and troubleshoot various personas of ISE in a multi-node deployment. How to troubleshoot network access device (NAD), ISE, and ACS configuration for AAA. Implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE. Verify, and troubleshoot profiling and posture assessment with ISE. Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure.

VideoSlides

BRKSEC-3690 -   Advanced Security Group Tags: The Detailed Walk Through (2017 Las Vegas)

Darrin Miller - Distinguished Technical Marketing Engineer, Cisco

This session examines the lower level design, configuration, monitoring and troubleshooting of SGTs and SGACLs applied to use cases like user segmentation, mDNS policy controls and malware/advanced persistent threats (APTs). Security Group technology will be discussed as applied to LAN, WLAN, WAN and Data Center networks. This session will include security policy management, SGT propagation strategies, and platform specific considerations that should be considered when addressing these use cases.. This session is aimed at Network/Network Security Specialists and Architects involved in designing and building advanced security solutions scenarios using Cisco network and security appliance deployment models. Attendees should be familiar with Cisco routing, switching, wireless and security appliances at a conceptual level and a detail knowledge of one of those disciplines.

VideoSlides

BRKSEC-3697 - Advanced ISE Services, Tips and Tricks (2017 Las Vegas)

Aaron Woland - Principal Engineer, Cisco

The Cisco Identity Services Engine (ISE) provides so many functions to the security of a network. ISE can provide Asset Visibility, Guest Access, Bring Your Own Device (BYOD), Software Defined Segmentation, Context Sharing, Threat Centric Network Access Control, as well as controlling access to network devices for configuration. Advanced ISE Services, Tips and Tricks is all new for 2017. We will examine using ISE for context sharing as part of the Rapid Threat Containment solution with a strong focus on deploying pxGrid and Identity Sharing. Leveraging ISE to provide other systems with the identities of users on the network for identity based policy is a major use-case and focus of the ISE product, and will be covered in depth. Integrations details will be covered to include Stealthwatch, Firepower Management Center (FMC) and the Web Security Appliance (WSA). Additional focus will be paid to the future of secure network access with technologies such as RFC-7170 (Tunneled EAP [TEAP]) to provide much needed certificate provisioning, certificate renewal, trust list distribution and EAP-Chaining to identify computers and the users logged into them. Attendees will also benefit from the following related sessions: BRKSEC-3699:Designing ISE for Scale and High Availability; BRKSEC-2059:Deploying ISE in a Dynamic Environment; BRKCOC-2018:Inside Cisco IT: How Cisco Deployed ISE and TrustSec Throughout the Enterprise; BRKSEC-2052:It's all about Securing the Endpoint!; LTRSEC-2002: ISE Integration with Firepower using pxGrid Protocol; BRKSEC-2695:Building and Enterprise Access Control Architecture using ISE and TrustSec; TECSEC-3672:Identity Services Engine 2.2 Best Practices; BRKSEC-3014:Security Monitoring with Stealthwatch: The detailed walkthrough; BRKSEC-2026:Building Network Security Policy Through Data Intelligence; and BRKSEC-2047:Operationalizing Advanced Threat Solutions

VideoSlides

BRKSEC-3699 - Designing ISE for Scale & High Availability (2017 Las Vegas)

Craig Hyps - Prinicipal Technical Marketing Engineer, Cisco

Cisco Identity Services Engine (ISE) delivers context-based access control for every endpoint that connects to your network. This session will show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement.

Video

Session Slides

Reference Slides

 

 

2017 Cisco Live Melbourne

March 7 – 10, 2017

TopicVideoSlides

BRKSEC-2013 -   Responding To Real World Threats with Cisco: Cyber Threat Response Clinic (2017 Melbourne)

Joseph Muniz - Technical Solutions Architect - TheSecurityBlogger.com, Cisco

A team of engineers has created a Cyber Threat Response clinic simulating how real threats can breach your network ranging from ransomware to advanced exploitation. This session will put you in the hot seat of a company that has experienced a breach created by Cisco that isn�t triggering any signature based security alarms. You will see how to identify, scope, contain and remediate the threat as well as learn from it to avoid a similar breach in the future through improving your security defences. This clinic has been ran around the world and is designed focusing on best practices for handling cyber threats verses targeting a specific product. The goal is to learn why you need a layered security approach and how it should all work together. Technology examples will include Cisco FirePOWER services, Advanced Malware Protection, Stealthwatch, Identity Services Engine, Cisco Umbrella and more.

VideoSlides

BRKEWN-2015 -   Wireless LAN Security and Threat Mitigation (2017 Melbourne)

Karan Sheth - Sr. Technical Marketing Engineer, Cisco

Prevention is better than cure - an old saying but an extremely important one to defend your enterprise wireless network from unauthorised access and rogue threats. The best security approach is a layered approach that encompasses authorised access, intrusion protection and mitigation. In this session, we will address the current state of wireless security and explore the best practices to protect against unauthorised and uncontrolled wireless access. We will discuss some of the commonly available attack tools that can cause serious damage to authorised enterprise user experience. Attendees will get familiar with advanced capabilities and tools that are available with Cisco Unified Wireless Network solution to properly lock-down and defend their network from wireless threats. Prerequisite knowledge of 802.11 fundamentals is recommended.

VideoSlides

BRKSEC-2026 -   Building Network Security Policy Through Data Intelligence (2017 Melbourne)

Matthew Robertson - Technical Marketing Engineer, Cisco

Darrin Miller - Distinguished Technical Marketing Engineer, Cisco

Recent attacks have demonstrated insider threats and determined attackers are effectively able to operate on the network interior where they can wreak havoc on an organisation and as a result it has become necessary to implement security policies inside the network. �This session leverages the foundation of the Cisco network and the building blocks of Security Group Tags (SGT) and NetFlow together with Cisco Identity Services Engine (ISE) and Cisco StealthWatch to design and build effective security policy to secure the network interior. �Using these technologies the session will explore how to transform the network infrastructure to protect critical assets and to limit the movement of attackers inside the networks: effectively improving security posture and the ability to respond to attacks. This session will cover design and deployment scenarios, use cases, best practices and configuration examples as well as how to monitor and troubleshoot the deployment. The target audience for this session are network security administrators and analysts interested in learning this novel approach to network security.

VideoSlides

BRKSEC-2051 -   Security Everywhere with Cisco AnyConnect Mobility Client (2017 Melbourne)

Chirag Saxena - Security Consulting System Engineer, Cisco

This session will explain how Cisco AnyConnect Secure Mobility Client can be leveraged for secure mobility and access, endpoint compliance, deep endpoint visibility, mitigate malware and advanced persistent threats. All the previously mentioned features can be achieved both on and off network using the same security policy. This allows security administrators to extend their visibility down to the device and track behaviour off and on premise to understand internal threats arising from compromised systems or inappropriate insider behaviour. This session aims at highlighting client based Virtual Private Network (VPN), Network Access Manager (NAM), Advance Malware Protection (AMP), Cloud Web Security (CWS), Network Visibility Module (NVM) and Cisco Umbrella, all integrated into a single end point solution. This will cover creating the security policy deployed using AnyConnect, to protect devices on both trusted and non-trusted networks with same level of security. This enables users to be productive, anytime, anywhere as they would be on a trusted network by ensuring threat mitigation, security at DNS layer, stopping malware from compromising the systems, stopping botnets or phishing attacks from ex-filtration of data, real-time web protection and granular application visibility and control. It also helps with shadow IT and network operations challenges.

VideoSlides

BRKSEC-2081 -   Security Overview - How it Works Inside Cisco (2017 Melbourne)

Richard Gore - IT Senior Manager, Cisco on Cisco Team, Cisco

How does Cisco secure its own information from over 1.5M attacks per day? �We need to secure more than the network. �We need to secure the devices (in a mobile and agile workforce). �We need to secure the information (in the data�centre, in the network and in the cloud). �And we need to secure the people. �We need to reduce and protect our attack surface, of course; but we also need to learn as soon as possible when we have been successfully attacked, and then we need to mitigate the damage, as soon as possible. �This session is not a detailed analysis of Cisco security products. Instead it is about how Cisco IT has built a coordinated security architecture. �We use over a dozen Cisco and homegrown and 3rd-party tools, processes and policies that all work together inside Cisco to build security and trust within our company.

VideoSlides

BRKSEC-2203 -   Enabling Software-Defined Segmentation with TrustSec (2017 Melbourne)

Kevin Regan - Product Manager, Cisco

Network segmentation is essential for protecting critical business assets, but�traditional segmentation approaches involve operational complexity and can be difficult to introduce to existing environments gracefully. Balancing these demands for agility and security requires a new approach. This session will cover to use software-defined segmentation, allowing�segmentation patterns to be implemented and changed without reconfiguring network devices or redesigning the network. This session will cover how to implement segmentation based upon endpoint roles, called security groups, instead of endpoint IP addresses.�IP addresses do not indicate the role of a system, the type�of application a server hosts, the purpose of an IoT device or the threat-state of a system, but a TrustSec Security�Group can denote any of these roles. By�classifying systems using logical groups, group-based policies can be used to simplify management of security rules�in firewalls, VPN appliance, Web Security Appliances, routers, switches Wireless LAN Controllers and Access Points. The session is targeted at network and security architects who want to know more about group-based policies and software-defined segmentation.

VideoSlides

BRKSEC-2695 -   Building an Enterprise Access Control Architecture using ISE and TrustSec (2017 Melbourne)

Jatin Sachdeva - Consulting Systems Engineer, Cisco

Tomorrow's requirement to network the Internet of Things requires an access control architecture that contextually regulates who and what is allowed onto the network. Identity Service Engines (ISE) plays a central role in providing network access control for Wired, Wireless and VPN networks. In addition, ISE is the policy control point for TrustSec, which controls access from the network edge to resources. This session will focus on: 1. Emerging business requirements and ISE services such as: Guest, profiling, posture, BYOD and MDM. 2. Secure policy based access control including 802.1X, MAB, Web Authentication, and certificates/PKI. The session will show you how to expand policy decisions to include contextual information gathered from profiling, posture assessment, location, and external data stores such as AD and LDAP. 3. Enforcing network access policy through conventional means such as VLANs and ACLS and emerging technologies such as TrustSec. Cisco TrustSec technology is used to segment the campus and data centre to increase security and drive down the operational expenses associated with managing complex ACL firewall rule tables and ACLs lists. This session is an introduction to the following advanced sessions: BRKSEC-3699; BRKSEC-3697; BRKSEC-3690; BRKSEC-2203

VideoSlides

BRKSEC-2771 -   Cisco Security and Threat Intelligence: Multiplying Threat Indicators and Improving Detection (2017 Melbourne)

Gavin Reid - CyberCzar, Cisco

Gavin Reid Director and Cyber Czar for Cisco US Public Sector, �will show how to use network based threat intelligence to pinpoint security hacks in your hosting environment, and reversing the alarms to find host based indicators for additional discovery of network intrusions. Using real-world examples of attacks on Cisco's network, they will demonstrate how they use Cisco tools like FireAmp, Source Fire, ThreatGrid, Cisco Umbrella, Web Security, Email Security, ISE, and Stealthwatch to detect, mitigate, and remediate incidents. You should attend this talk if you want to understand threat intelligence, how to use it in the real world, and how to use a Cisco powered network defense system.

VideoSlides

BRKSEC-3004 -   Deep Dive on Cisco Security in ACI (2017 Melbourne)

Goran Saradzic - Technical Marketing Engineer and Manager, Cisco

Join a detailed study on how to protect your Cisco ACI workloads withCisco Security platforms.� We first introduce the ACI and securityportfolio and then quickly deep dive into ACI deployment scenarios withhigh availability using Firepower NGFW(v), ASA(v), and FirePOWER NGIPS(v). Learn about Cisco Security device packages, modes of insertion, migrating�your use cases to ACI, and advanced integration features, like FMC to APIC�Rapid Threat Containment.

VideoSlides

BRKSEC-3014 -   Security Monitoring with StealthWatch: The Detailed Walkthrough (2017 Melbourne)

Speaker(s)   Matthew Robertson - Technical Marketing Engineer, Cisco
The realities of insider threats and determined attackers have made it necessary to implement security technologies on the network interior. This session will perform a detailed walkthrough of the Cisco StealthWatch System and its use for monitoring the network interior to detect and respond to threats. This session will cover design, deployment and operational best practices of the StealthWatch System as well as NetFlow and the Cisco ISE as components of the solution. This session will explore the analytic and detection capabilities of StealthWatch and how to best leverage the alarms and alerts as well as to drive an investigation using NetFlow data and StealthWatch to increase the security posture of an organisation. The target audience for this session are network and security administrators and analysts interested in learning how to best leverage NetFlow, ISE, and StealthWatch as a component of their security operations centre.

VideoSlides

BRKSEC-3690 -   Advanced Security Group Tags: The Detailed Walk Through (2017 Melbourne)

Darrin Miller - Distinguished Technical Marketing Engineer, Cisco

As a follow up to BRKSEC-2690 - Deploying Security Group Tags (SGT), this session examines the lower level design, configuration, monitoring and troubleshooting of SGTs and SGACLs applied to use cases like user segmentation, mDNS policy controls and malware/advanced persistent threats (APTs). Security Group technology will be discussed as applied to LAN, WLAN, WAN and Data Centre networks. This session will include security policy management, SGT propagation strategies, and platform specific considerations that should be considered when addressing these use cases. This session is aimed at Network/Network Security Specialists and Architects involved in designing and building advanced security solutions scenarios using Cisco network and security appliance deployment models. Attendees should be familiar with Cisco routing, switching, wireless and security appliances at a conceptual level and a detail knowledge of one of those disciplines. Suggested prior sessions include sessions on the Identity Services Engine, BRKSEC-2690, and network authentication (802.1X on wired and WLAN).

VideoSlides

BRKSEC-3697 -   Advanced ISE Services, Tips and Tricks (2017 Melbourne)

Craig Hyps - Prinicipal Technical Marketing Engineer, Cisco

Cisco Identity Services Engine (ISE) is a policy engine that enables contextual network access control across wired, wireless and remote access VPNs. ISE extends policy and access control to mobile devices (Bring Your Own Device, or BYOD). This advanced session will focus on the advanced services of ISE, successful deployment strategies, integration with Cisco as well as third-party network infrastructure, as well as deployment tips and tricks. We will examine best practices for BYOD deployments with the most common mobile platforms, including multiple tiers of registered devices. We will perform a detailed examination of certificate usage including ISE integration with your enterprise certificate authority (CA), endpoint certificate usage, and wildcard certificates. There will be a detailed examination of other advanced topics such as certificate renewal configurations and newer Guest functionality. Lastly, attendees will be introduced to troubleshooting and serviceability tips.

Video

Session Slides

Reference Slides

BRKSEC-3699 -   Designing ISE for Scale and High Availability (2017 Melbourne)

Craig Hyps - Prinicipal Technical Marketing Engineer, Cisco

Cisco Identity Services Engine (ISE) delivers context-based access control for every endpoint that connects to your network. This session will show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement.

Video

Session Slides

Reference Slides

 

 

2017 Cisco Live Berlin

February 20-24, 2017

TopicVideoSlides

BRKSEC-2344 - Device Administration with TACACS+ using Identity Services Engine 2.X (2017 Berlin)

Aaron Woland - Principal Engineer, Cisco

Device administration using TACACS+ is a key new function for Identity Services Engine (ISE). With it an enterprise can control administrative access of all their devices, and monitor the operation to ensure compliance with enterprise auditing or regulatory requirements. This session will cover topics from the basic configuration of device administration in ISE up to how to combine fine granularity command authorization with policy rules to allow an enterprise to control precisely who can do what to which devices under what specific circumstances. We will cover some common customer pitfalls, enterprise scalability issues, and considerations when migrating from ACS 5.

VideoSlides

DEVNET-1010 -   Using Cisco pxGrid for Security Platform Integration (2017 Berlin)

Syam Appala - Principal Engineer, Cisco Systems

Brian Gonsalves - Sr. Manager Product & Business Development, Cisco

Learn about the Cisco Platform Exchange Grid (pxGrid) publish/subscribe/query information exchange framework that enables multi-vendor, cross-platform network system collaboration among IT infrastructure such as security monitoring and detection systems, network policy platforms, identity and access management platforms, and virtually any other IT operations platform. This session will cover pxGrid architecture, integration use-cases, and how ecosystem partners can integrate with Cisco Identity Services Engine (ISE) and other Cisco security platforms using the pxGrid SDK. This session will cover: Functional and architectural basics of Cisco Platform Exchange Grid (pxGrid) for information exchange framework for creating integration between DevNet partner platforms and Cisco security products. Integration use-cases such as utilizing pxGrid for executing threat response actions on the network and using identity, endpoint device and user access privilege context to enhance our DevNet partners analytics, forensics and reporting.

VideoSlides

BRKSEC-2059 -   Deploying ISE in a Dynamic Public Environment (2017 Berlin)

Clark Gambrel - TECHNICAL LEADER.ENGINEERING, Cisco

Managing a secure, yet flexible network in today's public access environments can be very challenging. Public access networks in areas like universities, hospitals and airports host a broad array of devices, both privately owned and corporately managed. With the increasing importance of the Internet of Things, the variety of devices that need to connect to these public networks is rapidly increasing. Cisco Identity Services Engine (ISE) plays an integral role in controlling the access to these dynamic public networks. This session will share lessons learned from an ISE escalation engineer in troubleshooting complex customer environments.

VideoSlides

BRKEWN-2005 -   Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD (2017 Berlin)

Federico Ziliotto - Consulting Systems Engineer, Cisco Systems

Learn how to design a secure wireless networks from A to Z. In this session we will cover some of the major threats associated with wireless networks and the tools we have to mitigate and prevent them, such as rogue AP detection, wIPS and spectrum intelligence. We will also take a look at the principles of secured wireless networks (encryption, 802.1X, guest access, etc.) and will dive into the latest identity services available to address different kinds of devices (laptops, tablets, smartphones, etc.) and users (employees, guests, contractors, etc.). Prerequisites: knowledge of 802.11 and 802.1X fundamentals is recommended.

VideoSlides

BRKSEC-3697 -   Advanced ISE Services, Tips and Tricks (2017 Berlin)

Aaron Woland - Principal Engineer, Cisco

The Cisco Identity Services Engine (ISE) provides so many functions to the security of a network.  ISE can provide Asset Visibility, Guest Access, Bring Your Own Device (BYOD), Software Defined Segmentation, Context Sharing, Threat Centric Network Access Control, as well as controlling access to network devices for configuration.   Advanced ISE Services, Tips and Tricks is all new for 2017.  We will examine using ISE for context sharing as part of the Rapid Threat Containment solution with a strong focus on deploying pxGrid and Identity Sharing.  Leveraging ISE to provide other systems with the identities of users on the network for identity based policy is a major use-case and focus of the ISE product, and will be covered in depth.  Integrations details will be covered to include Stealthwatch, Firepower Management Center (FMC) and the Web Security Appliance (WSA).   Additional focus will be paid to the future of secure network access with technologies such as RFC-7170 (Tunneled EAP (TEAP) to provide much needed certificate provisioning, certificate renewal, trust list distribution and EAP-Chaining to identify computers and the users logged into them.   Lastly, time permitting, attendees will be introduced to troubleshooting and serviceability tips. Attendees will also benefit from the following related sessions: BRKSEC-3699 Designing ISE for Scale and High Availability; BRKSEC-2344 Device Administration with TACACS+ using Identity Services Engine; BRKSEC-2059 Deploying ISE in a Dynamic Public Environment; and BRKCOC-2255 Inside Cisco IT: How Cisco Deployed ISE and TrustSec, Globally.

VideoSlides

BRKSEC-3699 -   Designing ISE for Scale & High Availability (2017 Berlin)

Craig Hyps - Prinicipal Technical Marketing Engineer, Cisco Systems

Cisco Identity Services Engine (ISE) delivers context-based access control for every endpoint that connects to your network. This session will show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement. Attendees will also benefit from the following related sessions: BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec, BRKSEC-3697 Advanced ISE Services, Tips and Tricks

VideoSlides

CCSRST-2003 -   Bechtle on Bechtle: How we reinvent our corporate network (2017 Berlin)

The history of the Bechtle group goes back to the early 80s, when Bechtle started its business in its first office in the city of Heilbronn. Soon Bechtle began its expansion and now is servicing its customers in about 130 offices spread over 14 European countries. A major driver for success was and is its decentralized business model, enabling each individual company of the Bechtle Group to adapt their business model to the special demands of their customers. While decentralization is a keystone for success it is also a challenge for the CIO Organization, the internal IT of the Bechtle Group. In 2016 the CIO Organization started its Bechtle Corporate Network Program to renew the enterprise network and to enable 7500 employees to collaborate without losing the advantages of the agile decentralized business structure. Bechtle employees should be able to use all IT services in the same way, independent from where they access them. In this talk we want to give an overview, how we achieve this by combining various Cisco technologies like  iWAN , ISR4K, Catalyst switching, ISE Identity Services, 802.11ac wireless networking, LTE mobile networking, ASA firewalling and prime network management to a standardized blueprint.  This blueprint is used to connect every branch office to each other and to the datacenters where the CIO Organization runs centralized IT services like voice and video, Citrix, Exchange, SharePoint, Navision, SAP and storage for the whole group. This project focuses also on a lot of other interesting demands like modular design, high level of automation and other details which allow us to run the system very efficiently and offer a unique usability. Beside the technical implementation we will also talk about how we run the project and how to make progress when implementing the blueprint in all 130 offices of the Bechtle Group in a short amount of time. We will also talk about how internal engineers and specialists from our business units work hand in hand to achieve our goals.

VideoSlides

DEVNET-2433 -   DevNet Workshop-Learning Cisco platform Exchange Grid (pxGrid) Dynamic Topics (2017 Berlin)

Brian Gonsalves - Sr. Manager Product & Business Development, Cisco

Syam Appala - Principal Engineer, Cisco Systems

Cisco platform Exchange Grid (pxGrid) is a framework for sharing topic information between pxGrid clients. This workshop will illustrate this concept by using the pxGrid SDK to create a pxGrid publisher and a pxGrid subscriber and having the subscriber consume inventory Information from a published Auction topic. The developer should have some familiarity with Cisco Identity Services Engine (ISE) and Cisco platform Exchange Grid (pxGrid)

VideoSlides

BRKCOC-2255 -   Inside Cisco IT: How Cisco deployed ISE and TrustSec, globally (2017 Berlin)

Simon Finn - Security Architect, Cisco

Learn how Cisco's own internal IT department have deployed Identity Services Engine (ISE) and TrustSec, globally, and solved real world business and security problems by doing so. Cisco's network is authenticated and controlled by ISE across wired, wireless and VPN connections at over 440 sites worldwide, with over 1 million endpoints. The session will share Cisco IT's effort on Quarantine, Security Group Tagging (SGT), Posture and Integration with Mobile Device Management (MDM), the use of PxGrid data, Cisco  IT’s ISE global architecture, our approach to deployment and operations, lessons learned and roadmap. Cisco IT will be sharing actual examples and metrics from our deployment, making this session ideal for architects, mid-level technical IT professionals, project managers, and decision makers who are looking to, or are in the process of, deploying a large scale ISE solution.

VideoSlides

PSOSDN-1202 -   Secure Data Center, WAN with FirePOWER services (AMP, IPS, URL), and Access with ISE and AnyConnect from multi vector attacks through Cisco ONE Software (2017 Berlin)

Dan Lohmeyer - Sr. Director, Cisco

William Young - Security Solutions Architect, Cisco Systems

Software made Simple - Network buyers can purchase & manage end-to-end secure infrastructure software from Cisco to protect assets across Data Center, WAN and Access. It includes features like threat defense for WAN and Edge with FirePOWER services, Policy and threat defense with ISE Plus, ISE Apex and AnyConnect Apex,  and threat defense for data center with FirePOWER.  Join us to learn about Cisco ONE advanced security offers

VideoSlides

BRKGS-2002 -   Advanced Security Analytics: NetFlow for Incident Response (2017 Berlin)

Your organization is valuable and the cyber criminals know it. Malicious actors constantly make attempts to exploit users for privileged access to your enterprise network. The biggest challenge is revealing network behavior using disparate data to identify when threats breach traditional security architecture. In this session, learn about security practices that reduce the complexity involved with advanced threat protection. Leverage the network as a sensor to manage the entire attack continuum. Find out how deeper insight into the extended network is gained by exporting Cisco AVC flows. Visualize and verify traffic policy and security of your IWAN deployment. Acquire insight into DNS communications and the Cisco ASA with FirePOWER that allows the security team to maintain continuous control and visibility during a targeted attack. Find out how to decrease time to network remediation with Cisco ISE, Splunk, Elasticsearch, and ArcSight integration.

VideoSlides

BRKSEC-3014 -   Security Monitoring with StealthWatch: The detailed walkthrough (2017 Berlin)

Matt Robertson - Technical Marketing Engineer, Cisco

The realities of insider threats and determined attackers have made it necessary to implement security technologies on the network interior. This session will perform a detailed walkthrough of the Cisco StealthWatch System and its use for monitoring the network interior to detect and respond to threats. This session will cover design, deployment and operational best practices of the StealthWatch System as well as NetFlow and the Cisco ISE as components of the solution. This session will explore the analytic and detection capabilities of StealthWatch and how to best leverage the alarms and alerts as well as to drive an investigation using NetFlow data and StealthWatch to increase the security posture of an organization. The target audience for this session are network and security administrators and analysts interested in learning how to best leverage NetFlow, ISE, and StealthWatch as a component of their security operations center.

VideoSlides

BRKSEC-2444 -   CTA - detecting advanced malware with machine learning (2017 Berlin)

Michal Svoboda - Engineer, Cisco

Today's malware is built to bypass existing line of defense from the get-go. Gaining visibility of threats in local network is a critical part of security. Cisco's Cognitive Threat Analytics (CTA) uses machine learning algorithms to analyze web traffic and discover active malware in your infrastructure. CTA utilizes logs from compatible Cisco or 3rd party web proxy (e.g. WSA, CWS, BlueCoat). CTA is available either stand-alone or as a part of Cisco Advanced Malware Protection (AMP). In this intermediate level session, you will learn about CTA from both product and technical perspective. We will introduce examples of threats, the techniques that they use, and malware life cycle - from exploit kits, through infections, monetization, and data exfiltration. Then, we will cover CTA's unique detection techniques, with in-depth coverage of some algorithms. Finally, we will wrap up with the CTA executive dashboard, integrations, automated quarantine via ISE, and incident response workflow.

VideoSlides

 

 

2016 Cisco Live Cancun

November 7-10, 2016

TopicVideoSlides

BRKCOC-2121 - Inside Cisco IT: Enable contextual Security and Trusted access to any Cloud using Cisco ISE

Saswat Praharaj - Technical Leader, Cisco

Ranjan Jain - Security Architect - IT, Cisco

This session along with a demo will give a true insight into how Cisco IT is working on enabling a trusted and secure access to any Cloud offering (both public and private) by leveraging Cisco ISE. Cisco ISE provides the capability to leverage location and device management to be used as some of the contextual signals for the web application layer in a federated manner. Using these contextual signals, Cisco IT is enabling the fine grained security policy so that when a user accesses any type of cloud, these policies can allow access to the right type of data, when the user meets the trusted service profile. As a part of this session, you will see a demo of how ISE will provide the contextual attributes for any device and location. This session would be very useful for professionals in the security, Identity and access, networking area as well as architects and/or management professionals.

Video - Spanish

 

Video - English

Slides

 

 

2016 Cisco Live US Las Vegas

July 10 – 14, 2016

TopicVideoSlides

DEVNET-1010 -   Using Cisco pxGrid for Security Platform Integration (2016 Las Vegas) 45 minutes

Nancy Cam-Winget - Distinguished Engineer, Cisco

Brian Gonsalves - Product Manager, Cisco

Syam Appala - Principal Engineer, Cisco Systems

Learn about the Cisco Platform Exchange Grid (pxGrid) publish/subscribe/query information exchange framework that enables multi-vendor, cross-platform network system collaboration among IT infrastructure such as security monitoring and detection systems, network policy platforms, identity and access management platforms, and virtually any other IT operations platform. This session will cover pxGrid architecture, integration use-cases, and how ecosystem partners can integrate with Cisco Identity Services Engine (ISE) and other Cisco security platforms using the pxGrid SDK. This session will cover: Functional and architectural basics of Cisco Platform Exchange Grid (pxGrid) for information exchange framework for creating integration between DevNet partner platforms and Cisco security products. Integration use-cases such as utilizing pxGrid for executing threat response actions on the network and using identity, endpoint device and user access privilege context to enhance our DevNet partners analytics, forensics and reporting.

VideoSlides

DEVNET-1217 - DevNet Workshop - Integrating to Cisco pxGrid: Sharing Your Telemetry & Context with Other pxGrid Partners (2016 Las Vegas) 45 minutes

Gajveer Singh - Software Engineer, CISCO INTERNAL

This workshop will provide a brief overview of the Cisco pxGrid security integration framework, then focus on how DevNet partners can share telemetry and contextual information from their system with other DevNet partners using the pxGrid publish/subscribe and query framework. This will be a hands-on technical working session.

VideoSlides

PCSTHT-2001 - Advanced Security Analytics: NetFlow at Terabit-Scale (2016 Las Vegas) - 30 Mins

Your organization is valuable, and the cyber criminals know it. Malicious actors regularly make attempts to exploit users for privileged access to your enterprise network. The biggest challenge is revealing network behavior, using disparate data, to identify when threats breach traditional security architecture. In this session, learn about security practices that reduce the complexity involved in advanced threat protection. Leverage the network as a sensor to manage the entire attack continuum. Find out how deeper insight into the extended network is gained by exporting Cisco AVC flows. Visualize and verify traffic policy and security of your IWAN deployment. Acquire insight into DNS communications and the Cisco ASA with FirePOWER that allows the security team to maintain continuous control and visibility during a targeted attack. Find out how to decrease time to network remediation with Cisco ISE, Splunk, Elasticsearch, and ArcSight integration.

VideoSlides

PCSTHT-2004 - Greater Operational and Security Insight Within & Across Your Cisco Environment (2016 Las Vegas) - 30 Mins

Splunk and Cisco are working together to provide unified visibility into your application and infrastructure health, better and faster response into security incidents and potential breaches, dramatic reductions in troubleshooting times and the ability to proactively fine-tune your infrastructure capacity to boost your applications needs. Discover ways to immediately do even more with a range of Cisco technologies and solutions ACI, UCS, pxGrid, ISE, SourceFire, WSA, IoT, and many others with Splunk software.

VideoSlides

PSOSEC-2009 -   ISE 2.0 & 2.1 Features (2016 Las Vegas)  1 hour

Daniel Stotts - Security Product Marketing Manager, Cisco

This session will demonstrate the ISE 2.0 and 2.1 new features. Like device administration with TACACS+, streamlined visibility, and threat-centric NAC. It will also cover what's new with Cisco TrustSec and pxGrid.

VideoSlides

BRKCOC-2015 -   Inside Cisco IT: Cisco IT's Assured Network Access: Identity Services Engine (ISE) Deployment and Best Practices (2016 Las Vegas) 90 minutes

Bassem Khalife - Program Manager, Cisco

This session will illustrate how Cisco IT has deployed ISE globally, the challenges we encountered, and the best practices that we recommend. Gain insight on how Cisco IT deployed Guest Access, Wireless, Wired, VPN, and Cisco Virtual Home Office (CVO) services across 440 sites worldwide, with over 300K endpoints connected on a daily basis for over 90K users. The session will also share Cisco IT's effort on Quarantine, Security Group Tagging (SGT), integration with Mobile Device Management (MDM), and the use of PxGrid data. Finally, the session will also include a brief view on how Cisco IT uses Splunk for data analysis, reporting, and troubleshooting. Cisco IT will be sharing actual examples and metrics from their deployment, making this session ideal for mid-level technical IT professionals, project managers, and decision makers who are looking to, or are in the process of, deploying a large scale ISE solution.

VideoSlides

BRKSEC-2026 -   Building Network Security Policy Through Data Intelligence (2016 Las Vegas) 90 minutes

Matthew Robertson - Technical Marketing Engineer, Cisco

Darrin Miller - Distinguished Technical Marketing Engineer, Cisco

Recent attacks have demonstrated insider threats and determined attackers are effectively able to operate on the network interior where they can wreak havoc on an organization and as a result it has become necessary to implement security policies inside the network. This session leverages the foundation of the Cisco network and the building blocks of Security Group Tags (SGT) and NetFlow together with Cisco Identity Services Engine (ISE) and Cisco StealthWatch to design and build effective security policy to secure the network interior. Using these technologies the session will explore how to transform the network infrastructure to protect critical assets and to limit the movement of attackers inside the networks: effectively improving security posture and the ability to respond to attacks. This session will cover design and deployment scenarios, use cases, best practices and configuration examples as well as how to monitor and troubleshoot the deployment. The target audience for this session are network security administrators and analysts interested in learning this novel approach to network security.

VideoSlides

BRKSEC-2059 -   Deploying ISE in a Dynamic Public Environment (2016 Las Vegas) 2 hours

Clark Gambrel - Technical Leader - Engineering, Cisco

Managing a secure, yet flexible network in today's public access environments can be very challenging. Public access networks in areas like universities, hospitals and airports host a broad array of devices, both privately owned and corporately managed. With the increasing importance of the Internet of Things, the variety of devices that need to connect to these public networks is rapidly increasing. Cisco Identity Services Engine (ISE) plays an integral role in controlling the access to these dynamic public networks. This session will share lessons learned from an ISE escalation engineer in troubleshooting complex customer environments.

VideoSlides

BRKSEC-2060 -   Device Administration with TACACS+ using Identity Services Engine (2016 Las Vegas) 2 hours

Gennady Yakubovich - Technical Leader, Cisco

Device administration using TACACS+ is a key new function for Identity Services Engine (ISE). With it an enterprise can control administrative access of all their devices, and monitor the operation to ensure compliance with enterprise auditing or regulatory requirements. This session will cover topics from the basic configuration of device administration in ISE up to how to combine fine granularity command authorization with policy rules to allow an enterprise to control precisely who can do what to which devices under what specific circumstances. We will cover some common customer pitfalls, enterprise scalability issues, and considerations when migrating from ACS 5.

VideoSlides

BRKSEC-2203 - Deploying TrustSec Security Group Tagging (2016 Las Vegas) 2 hours

Kevin Regan - Product Manager, Cisco

This session will explain how TrustSec Security Group Tagging can be used to simplify access controls and provide software-defined segmentation. We will cover how to extend context-aware controls from the access layer to data centres in order to reduce operational effort, support compliance initiatives and facilitate BYOD. The session is targeted at network and security architects who want to know more about the TrustSec solution.

VideoSlides

BRKSEC-2695 -   Building an Enterprise Access Control Architecture using ISE and TrustSec (2016 Las Vegas) 2 hours

Imran Bashir - Technical Marketing Engineer, Cisco Systems

Tomorrow's requirement to network the Internet of Things requires an access control architecture that contextually regulates who and what is allowed onto the network. Identity Service Engines (ISE) plays a central role in providing network access control for Wired, Wireless and VPN networks. In addition, ISE is the policy control point for TrustSec, which controls access from the network edge to resources. This session will focus on: 1. Emerging business requirements and ISE services such as: Guest, profiling, posture, BYOD and MDM. 2. Secure policy based access control including 802.1X, MAB, Web Authentication, and certificates/PKI. The session will show you how to expand policy decisions to include contextual information gathered from profiling, posture assessment, location, and external data stores such as AD and LDAP. 3. Enforcing network access policy through conventional means such as VLANs and ACLS and emerging technologies such as TrustSec. Cisco TrustSec technology is used to segment the campus and datacenter to increase security and drive down the operational expenses associated with managing complex ACL firewall rule tables and ACLs lists. This session is an introduction to the following advanced sessions: BRKSEC-3699; BRKSEC-3698; BRKSEC-3690; TECSEC-3691

Video

Slides

BRKSEC-3014 -   Security Monitoring with StealthWatch: The detailed walkthrough (2016 Las Vegas) 2 hours

Matthew Robertson - Technical Marketing Engineer, Cisco

The realities of insider threats and determined attackers have made it necessary to implement security technologies on the network interior. This session will perform a detailed walkthrough of the Cisco StealthWatch System and its use for monitoring the network interior to detect and respond to threats. This session will cover design, deployment and operational best practices of the StealthWatch System as well as NetFlow and the Cisco ISE as components of the solution. This session will explore the analytic and detection capabilities of StealthWatch and how to best leverage the alarms and alerts as well as to drive an investigation using NetFlow data and StealthWatch to increase the security posture of an organization. The target audience for this session are network and security administrators and analysts interested in learning how to best leverage NetFlow, ISE, and StealthWatch as a component of their security operations center.

VideoSlides

BRKSEC-3697 -   Advanced ISE Services, Tips and Tricks (2016 Las Vegas) 2 hours

Aaron Woland - Principal Engineer, Cisco

The Cisco Identity Services Engine (ISE), a policy engine, enables contextual network access control across wired, wireless networks and remote access VPN. ISE extends to mobile connectivity as well (Bring Your Own Device, or BYOD). This advanced session will focus on the advanced services of ISE, successful deployment strategies, integration with Cisco as well as third party network infrastructure, as well as deployment tips and tricks. We will examine best practices for Bring Your Own Device (BYOD) deployments with the most common mobile platforms, including multiple tiers of registered devices. We will perform a detailed examination of certificate usage including integration of ISE with your enterprise certificate authority (CA), endpoint certificate usage, and wildcard certificates. There will be a detailed examination of advanced topics such as configurations for certificate renewal, and the new Guest functionality in the ISE 1.3 and newer versions. Lastly, attendees will be introduced to troubleshooting and serviceability tips. Attendees will also benefit from the following related sessions: BRKSEC-3699 Designing ISE for Scale and High Availability; BRKSEC-2060 Device Administration with TACACS+ using Identity Services Engine; BRKSEC-2059 Deploying ISE in a Dynamic Public Environment; COCSEC-2015 Inside Cisco IT: Cisco IT's Assured Network Access: Identity Services Engine (ISE) Deployment and Best Practices; BRKSEC-2026 Network as a Sensor and Enforcer; and BRKSEC-3053 Practical PKI for Remote Access VPN with ISE.

VideoSlides

BRKSEC-3699 -   Designing ISE for Scale & High Availability (2016 Las Vegas) 2 hours

Craig Hyps - Technical Marketing Engineer, Cisco

Cisco Identity Services Engine (ISE) delivers context-based access control for every endpoint that connects to your network. This session will show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement. Attendees will also benefit from the following related sessions: BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec, BRKSEC-3697 Advanced ISE Services, Tips and Tricks

Video

Session Slides

 

Reference Slides

TECSEC-4273 -   Cisco Security for Traditional and ACI Data Centers (2016 Las Vegas)

2 hours

Fabien Gandola - CSE, Cisco

Charlie Stokes - Technical Marketing Engineer, Cisco

Goran Saradzic - Technical Marketing Engineer, Cisco

Abhishek Singh - Technical Marketing Engineer, Cisco

Over the years, your most important Data Center assets have evolved massively. The pace of change continues to ramp with new Architectures, Virtualization, Fabrics and Clouds. This new landscape is threatened more then ever by the latest security threats. How do you evolve your data centers and ensure they are secure and compliant for an audit? Using a practical and pragmatic approach, we will present how Cisco can help you tackle your security challenges in traditional and ACI Data Centers, leveraging the intelligent network infrastructure and the broadest security portfolio in the industry: NGFW - FP9300/4100, ASA5585-X with Firepower services, AMP, virtual appliance variants, Stealthwatch, and TrustSec with ISE. Throughout the day, we will show how a holistic architectural approach is the only effective way to solve your current security challenges, for your traditional and next generation SDN-focused Data Centers.

VideoSlides

BRKSEC-2051 -   It's all about Securing the Endpoint! (2016 Las Vegas) 90 minutes

Ned Zaldivar - Consulting Systems Engineer, Cisco

In today's security landscape, network security services(FW, IPS, VPN, https, etc) can only provide limited visibility into the real-time behavior of endpoints. Corporations are struggling with network and endpoint inspection tools that are standalone technologies and don't address the true business problems. This session will clearly outline different client use cases and discuss the various endpoint solutions available to address today's business needs. Technology solutions such as AnyConnect VPN, Cloud Web Security, Advanced Malware Protection, Netflow/IPFIX using Network Visibility Module, DNS Security, 802.1x Supplicant and Endpoint Posture Client will be covered Configuration and Best Practice guidelines will be covered in this session. The target Audience is Network, Security and Endpoint Teams.

VideoSlides

BRKSEC-3033 -   Advanced AnyConnect Deployment and Troubleshooting with ASA (2016 Las Vegas)   2 hours

Hakan Nohre - Consulting Systems Engineer, Cisco

Remote access VPN can provide a flexible, transparent and yet secure working environment for mobile workers. This advanced session will explain different deployment options using Cisco AnyConnect Client with ASA. We will cover different options for strong authentication, One-time-password and client certificates and how these authentication options can be used together with posture assessment and enterprise directories for granular authorization. We will also cover AnyConnect customization and how to create an office like user experience by allowing domain logon and mapping of disk drives, whilst connected over the internet. Coverage of IPv6 when using AnyConnect is also included in this session. The expected audience are network or security engineers with previous experience of AnyConnect and ASA 5500, and with a good understanding of enterprise IT infrastructure, PKI and Active Directory.

VideoSlides

 

 

2016 Cisco Live Melbourne

March 2016

TopicVideoSlides

BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec (2016 Melbourne)

Hosuk Won - Technical Marketing Engineer, Cisco

This session will focus on ISE use cases including Visibility, Guest Access, 802.1X & MAB, Compliance (Posture & MDM Integration), BYOD, Device Administration, and TrustSec. The session will also cover integration with 3rd party NAD, pxGrid, SXP, and other newly introduced features in ISE 2.0. The session will start with basic use cases using 802.1X/MAB and progress into advanced use case whereby providing overview of ISE & TrustSec.

VideoSlides

BRKSEC-3699 - Designing ISE for Scale and High Availability (2016 Melbourne)

Hosuk Won - Technical Marketing Engineer, Cisco

This session will focus on designing scalable access control services with ISE and the associated components. Topics will include distributed ISE deployment, different ISE options to optimise ISE, managing high availability of different ISE personas, PSN redundancy, and LB/NAD configurations. The session also delves into device admin (TACACS+), 3rd party NAD support, and MSE location integration features introduced in ISE 2.0. After the session, the attendees will learn best practices around ISE design and learn to avoid pitfalls when deploying ISE in large scale.

VideoSlides

COCSEC-2002 - Cisco IT - Identity Services Engine (ISE) Deployment and Best Practices (2016 Melbourne)

Simon Finn - Security Solutions Architect, Cisco

This session will cover the requirements, implementation phases and current status of Cisco IT ISE deployment. The ISE deployment at Cisco is a large scale global production deployment that encompasses; 440 sites with 130k users and 14k guest sessions per week; 400 sites and 90k wireless authenticated users, over 192 devices in 83 locations for wired monitor mode and 15k Cisco Virtual Office locations worldwide. Gain insight on how Cisco prioritised the deployment based on specific security requirements for profiling, authentication, posture and enforcement. Learn about best practices utilised to help deliver a successful large scale implementation. The session is ideal for mid-level technical IT professionals and decision makers who are interested in learning more about scaling ISE for large scale deployments with actual examples on how Cisco IT deployed ISE.

VideoSlides

BRKSEC-2026 - Network as a Sensor and Enforcer (2016 Melbourne)

Matthew Robertson - Technical Marketing Engineer, Cisco

Recent attacks have demonstrated insider threats and determined attackers are effectively able to operate on the network interior where they can wreak havoc on an organisation and as a result it has become necessary to implement security policies inside the network. This session starts by describing the use of NetFlow, ISE and Lancope StealthWatch to discover who and what is on the network followed by an approach to leveraging Cisco TrustSec to dynamically segment and transform the network infrastructure to protect critical assets and to limit the movement of attackers inside the networks: effectively improving security posture and the ability to respond to attacks. This session will cover design and deployment scenarios, use cases, best practices and configuration examples as well as how to monitor and troubleshoot the deployment. The target audience for this session are network security administrators and analysts interested in learning this novel approach to network security.

VideoSlides

BRKEWN-2014 - Deploying Wireless Guest Access and BYOD (2016 Melbourne)

Scott Lee-Guard - Systems Engineer, Cisco

This session focuses on design requirements and deployment considerations for Cisco's Wireless Guest Access solutions. It discusses the main components of an end-to-end guest access solution including how to provide network access to visitors and route guest traffic across the network that is safe and secure. Attendees will be introduced to a detailed discussion on various Guest Access services directly on the wireless LAN controllers (WLC) and Converged Access Catalyst switches. We will also discuss CUWN Centralised, Converged Access and FlexConnect modes of deployments, with Guest Anchor and ISE possibilities. This session is especially useful for those attendees responsible for the Design Deployment Operations and Management of Enterprise Campus Wireless Networks. It is assumed that all those attending this session have a working knowledge of LAN switching and routing, fundamentals in 802.1x and Network Admission Control. Knowledge of 802.11 WLAN fundamentals and WLAN security is suggested.

VideoSlides

BRKSEC-2690 -   Deploying Security Group Tags (2016 Melbourne)

Kevin Regan - Product Manager, Cisco

This session explains how the combination of Security Group Tags extend context aware role based access control from the edge into the network. This session covers the protocols and functions that create a trusted network. We will see how this tagging ability can be deployed in the access layer, branch and the data centre in support of business requirements like regulatory compliance and BYOD. ISE drives the policy that defines how and when SGTs should be applied. The target audience for this Session are network and security architects and administrators that want to know more about the TrustSec solution.

VideoSlides

 

 

2016 Cisco Live Berlin

March 2016

TopicVideoSlides

TECSEC-3672 - Advanced - Network Access Control with ISE (Identity Service Engine) 2.0

Chrigi Altherr, Jason Kunst, Francesca Martucci, Christophe Sarrazin, Federico Ziliotto

VideoSlides

TECSEC-2222 - Securing Networks with Cisco Trustsec

Jonothan Eaves, Mike Jessup, Fay Lee

VideoSlides

COCSEC-2015 - Inside Cisco IT: Cisco IT’s Assured Network Access: Identity Services Engine (ISE) Deployment and Best Practices (2016 Berlin)

Bassem Khalife - Program Manager, Cisco

This session will illustrate how Cisco IT has deployed ISE globally, the challenges we encountered, and the best practices that we recommend. Gain insight on how Cisco IT deployed Guest Access, Wireless, Wired, VPN, and Cisco Virtual Home Office (CVO) services across 440 sites worldwide, with over 300K endpoints connected on a daily basis for over 90K users. The session will also share Cisco IT’s effort on Quarantine, Security Group Tagging (SGT), integration with Mobile Device Management (MDM), and the use of PxGrid data. Finally, the session will also include a brief view on how Cisco IT uses Splunk for data analysis, reporting, and troubleshooting. Cisco IT will be sharing actual examples and metrics from their deployment, making this session ideal for mid-level technical IT professionals, project managers, and decision makers who are looking to, or are in the process of, deploying a large scale ISE solution. Attendees will also benefit from the following related sessions: BRKSEC-2044 Building an Enterprise Access Control Architecture with ISE, BRKSEC-3697 Advanced ISE Services, Tips and Tricks, BRKSEC-3699 Designing ISE for Scale and High Availability.

VideoSlides

BRKSEC-2051 - It's all about Securing the Endpoint! (2016 Berlin)

Jerry Lin - Consulting Systems Engineer, Cisco

In today’s security landscape, network security services(FW, IPS, VPN, https, etc) can only provide limited visibility into the real-time behavior of client PCs and mobile devices. Corporations are struggling with network and endpoint inspection tools that are standalone technologies and don’t address the true business problems. This session will clearly outline different client use cases and discuss the various endpoint solutions available to address today’s business needs. Technology solutions such as VPN(Always-ON, SBL, PerApp VPN, Connect On Demand, etc), Cloud Web Security client, FireAMP client, Anyconnect 4.2 Appflow with Lancope, Anyconnect NAM for MacSec, and ISE Posture Client will be covered along with best practices deployment. Configuration guidelines and procedures will be covered in this session. The Target Audience is Network and Endpoint Security Teams.

VideoSlides

BRKSEC-3699 - Advanced - Designing ISE for Scale & High Availability (2016 Berlin)

Craig Hyps - Technical Marketing Engineer, Cisco

Cisco Identity Services Engine (ISE) delivers context-based access control for every endpoint that connects to your network. This session will show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement. Attendees will also benefit from the following related sessions: Attendees will also benefit from the following related sessions: BRKSEC-2044 Building an Enterprise Access Control Architecture with ISE, BRKSEC-3697 Advanced ISE Services, Tips and Tricks

VideoSlides

BRKCRS-1449 - Introductory - Network as a Sensor / Enforcer : Cisco's End-to-End Analysis and Security Architectures (2016 Berlin)

Scott Hodgdon - Technical Marketing Engineer, Cisco

Driven by the mobility, cloud computing, and Internet of Everything megatrends and fueled by increasingly sophisticated cybercriminals, today’s information landscape is more dynamic and more vulnerable than ever before. In this session we will introduce you to Cisco’s Network as a Sensor (NaaS) and Network as an Enforcer (NaaE) architectures that allow you to implement a comprehensive, network-enabled approach to cybersecurity. NaaS relies on Cisco’s Flexible NetFlow capabilities to deliver real-time, end-to-end flow information to the StealthWatch flow analyzer to detect security anomalies before they impact the network. NaaE utilizes Cisco’s innovative TrustSec architecture to deliver end-to-end network segmentation and security. The session will show you the value of implementing both NaaS and NaaE which allows you to quickly identify, isolate, and counter cyberthreats. Discover how you can integrate the latest security technologies into a unified solution that gives you unprecedented visibility across your entire network at all times, enabling you to detect anomalous traffic and prevent access violations, segment the network to shrink the attack surface, and automate for near-real-time threat mitigation.

VideoSlides

PSOSEC-4003 - Stop Threats Before They Stop You: Gain visibility and control as you speed time to containment of infected endpoints (2016 Berlin)

Andrew Peters - Sr. Manager, SAMPG, Cisco

Today, organizations require more automated, advanced, and scalable security capabilities. Requirements include both advanced threat sensors, with continually updated threat intelligence, that identify malware and the capability to contain compromised endpoints quickly and efficiently. Organizations are finding the integration of disparate systems from multiple security vendors to be both cost prohibitive and limited in threat detection and containment effectiveness. Instead, they require comprehensive, tightly integrated, and vendor-supported systems that improve operational efficiency and quickly detect, analyze, and contain threats. The specific elements required are: - Advanced malware detection with network and endpoint sensors to identify threats throughout the network - Automated analysis and qualification of threats and Indicators of Compromise that provide IT Security with contextual visibility to rapidly understand and contain attacks - Continually updated threat intelligence to maximize effectiveness against advancements in malware - Pervasive network enforcement capability, to enable immediate containment or quarantine of compromised endpoints until they are remediated. Firepower & ISE Rapid Threat Containment solution automatically detects and contains malware with a set of tightly integrated and vendor-supported detection, visibility and enforcement technologies.

VideoSlides

BRKSEC-2073 - NetFlow Security Monitoring with Cisco StealthWatch (2016 Berlin)

Eric Rennie - Technical Solutions Architect, Lancope

Matthew Robertson - Technical Marketing Engineer, Cisco

Recent trends have lead to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. This session takes an in depth look at NetFlow with the goal of leveraging the technology to provide heightened visibility and context into network traffic in order to identify attackers and accelerate incident response. Design, deployment and operational best practices in establishing a NetFlow security monitoring program using the StealthWatch System as a collection and analysis technology will be presented. Use cases in how to best organize and query NetFlow and the Cisco ISE as an additional telemetry source using StealthWatch will be discussed. Further use cases of how to drive an investigation in order to identify an attacker's presence on the network based on the statistical analysis of NetFlow telemetry will be covered. The target audience for this session are network and security administrators and analysts interested in learning how to add NetFlow as a component of their security operations centre.

VideoSlides

BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec (2016 Berlin)

Hariprasad Holla - Technical Marketing Engineer, Cisco

This session provides an overview of the Cisco TrustSec Security Group Access (SGA) solution for Enterprise network segmentation and Role-Based Access Control. SGA allows for simplified network segmentation based on User Identity/Role and allows for secure access and consistent security policies across Wired/Wireless networks.We will cover SGA solution on the Catalyst, Nexus Switching and Routing (ASR1K/CSR/ISR) platforms, including converged wired/wireless with a focus on the deployment use cases in a campus, data center & branch networks. The session covers an architectural overview of SGA and benefits of TrustSec role based policies, elements of Cisco TrustSec such as user identification with 802.1x, device identification, role classification using Security Group Tagging (SGT) and enforcement using Security Group Access Control List (SGACL). This session is for Network Architects, Pre-Sales Engineers and Technical Decision Makers. Previous knowledge or experience is recommended in campus design, Internet edge design, routing protocol design, and Layer 2 and Layer 3 switching.

VideoSlides

BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment (2016 Berlin)

Clark Gambrel - Technical Leader - Engineering, Cisco

Managing a secure, yet flexible network in today's public access environments can be very challenging. Public access networks in areas like universities, hospitals and airports host a broad array of devices, both privately owned and corporately managed. With the increasing importance of the Internet of Things, the variety of devices that need to connect to these public networks is rapidly increasing. Cisco Identity Services Engine (ISE) plays an integral role in controlling the access to these dynamic public networks. This session will share lessons learned from an ISE escalation engineer in troubleshooting complex customer environments.

VideoSlides

BRKSEC-2026 - Network as a Sensor and Enforcer (2016 Berlin)

Matthew Robertson - Technical Marketing Engineer, Cisco

Fay Lee - Technical Marketing Engineer, Cisco

Recent attacks have demonstrated insider threats and determined attackers are effectively able to operate on the network interior where they can wreak havoc on an organization and as a result it has become necessary to implement security policies inside the network. This session starts by describing the use of NetFlow, ISE and StealthWatch to discover who and what is on the network followed by an approach to leveraging Cisco TrustSec to dynamically segment and transform the network infrastructure to protect critical assets and to limit the movement of attackers inside the networks: effectively improving security posture and the ability to respond to attacks. This session will cover design and deployment scenarios, use cases, best practices and configuration examples as well as how to monitor and troubleshoot the deployment. The target audience for this session are network security administrators and analysts interested in learning this novel approach to network security.

VideoSlides

BRKSEC-3697 - Advanced ISE Services, Tips and Tricks (2016 Berlin)

Aaron Woland - Principal Engineer, Cisco

The Cisco Identity Services Engine (ISE), a policy engine, enables contextual network access control across wired, wireless networks and remote access VPN. ISE extends to mobile connectivity as well (Bring Your Own Device, or BYOD). This advanced session will focus on the advanced services of ISE, successful deployment strategies, integration with Cisco as well as third party network infrastructure, as well as deployment tips and tricks. We will examine best practices for Bring Your Own Device (BYOD) deployments with the most common mobile platforms, including multiple tiers of registered devices. We will perform a detailed examination of certificate usage including integration of ISE with your enterprise certificate authority (CA), endpoint certificate usage, and wildcard certificates. There will be a detailed examination of advanced topics such as configurations for certificate renewal, and the new Guest functionality in the ISE 1.3 and newer versions. Lastly, attendees will be introduced to troubleshooting and serviceability tips. Attendees will also benefit from the following related sessions: BRKSEC-3699 Designing ISE for Scale and High Availability; BRKSEC-2060 Device Administration with TACACS+ using Identity Services Engine; BRKSEC-2059 Deploying ISE in a Dynamic Public Environment; COCSEC-2015 Inside Cisco IT: Cisco IT’s Assured Network Access: Identity Services Engine (ISE) Deployment and Best Practices; BRKSEC-2026 Network as a Sensor and Enforcer; and BRKSEC-3053 Practical PKI for Remote Access VPN with ISE.

VideoSlides

BRKSEC-2060 - Device Administration with TACACS+ using Identity Services Engine (2016 Berlin)

Douglas Gash - Technical Leader, Cisco

Device administration using TACACS+ is a key new function for Identity Services Engine (ISE). With it an enterprise can control administrative access of all their devices, and monitor the operation to ensure compliance with enterprise auditing or regulatory requirements. This session will cover topics from the basic configuration of device administration in ISE up to how to combine fine granularity command authorization with policy rules to allow an enterprise to control precisely who can do what to which devices under what specific circumstances. We will cover some common customer pitfalls, enterprise scalability issues, and considerations when migrating from ACS 5.

VideoSlides

BRKSEC-2132 - What's new in ISE Active Directory connector (2016 Berlin

Chris Murray - Technical Leader, Cisco

Cisco Identity Services Engine (ISE) integrates with Active Directory using a new connector. We will introduce new features, concepts and troubleshooting tools as well as Best Practices to help you avoid and resolve issues. This session is a pre-requisite to any ISE deployment when you have been deploying multiple Active Directory in your Company.

VideoSlides

BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation (2016 Berlin)

Kevin Regan - Product Manager, Cisco

This session will explain how TrustSec can be used to simplify access controls and provide software-defined segmentation. We will cover how to extend context-aware controls from the access layer to anywhere on an Enterprise network in order to reduce operational effort, support compliance initiatives and facilitate BYOD. The session is targeted at network and security architects who want to know more about the TrustSec solution.

VideoSlides

BRKSEC-3690 - Advanced Trustsec – Deep dive on software defined segmentation (2016 Berlin)

Kevin Regan - Product Manager, Cisco

This session examines the lower level design, configuration, monitoring and troubleshooting of SGTs and SGACLs applied to segmentation and access control use cases. Security Group technology will be discussed as applied to LAN, WLAN, WAN and Data Center networks. This session will include reviews of customer deployments that include security policy management, SGT propagation strategies, and platform specific considerations. This session is aimed at Network/Network Security Specialists and Architects involved in designing and building advanced security solutions scenarios using Cisco network and security appliance deployment models. Attendees should be familiar with Cisco routing, switching, wireless and security appliances at a conceptual level and a detail knowledge of one of those disciplines.

VideoSlides

BRKSEC-3053 -   Practical PKI for Remote Access VPN with ISE (2016 Berlin)

Ned Zaldivar - Security Consulting Systems Engineer, Cisco

This intermediate to advanced level session will provide a technical overview of AnyConnect using PKI solutions including Cisco ISE and MSFT CA. A number of different SSLVPN use cases, including bring your own device and integration with ISE will be introduced and explained. The recommended solutions will focus on ease of use and manageability including troubleshooting with detailed configuration examples. By the end of the session participants should grasp the major steps in X.509 certificate deployment and be able to make informed decisions about using certificate authentication with Cisco solutions. The target audience are security and network administrators with Remote Access and Certificate background. The audience will benefit from previous Cisco SSLVPN and ISE experience.

VideoSlides