SAFE Overview Guide
Capabilities and Threats
November 2015
CONTENTS
SAFE—What is It? 3
The Need for SAFE 4
The Benefits 4
How to Use SAFE 4
The SAFE Method 5
The Key 7
Places in the Network 9
Secure Branch 10
Secure Campus 11
Secure Data Center 12
Secure Edge 13
Secure Cloud 14
Secure WAN 15
Secure Domains 16
Management 17
Security Intelligence 18
Compliance 19
Segmentation 20
Threat Defense 21
Secure Services 22
Under Attack with SAFE 23
SAFE Pieces 24
SAFE Capability Guide
2
ity Guarantee
r
u
c
d*
Se
*This is NOT a guarantee.
SAFE—What is It?
Securing today’s business is getting harder and harder to do. The difficulty increases as the world
becomes more complicated. Being entirely safe is no longer realistic despite any claims of any vendors.
Former CEO of Cisco John Chambers has famously said that “there are two types of companies: ones
that have been breached and those that do not realize it…” Cisco aims to simplify security because we
realize that the increasing fragmentation of the technology multiplies the attack surfaces, which in turn
complicates the defenses. Fraudsters are developing more lucrative schemes and advanced threats. The
industry desperately needs a resource that looks at the problem from an end-to-end perspective, but also
makes it easier to understand. The solution has to be comprehensive, credible, and more than just about
products. It needs to focus on the threats of the industry.
SAFE is a model that is built to address that need. It provides a method for understanding today’s
challenges in a language that changes the way we think about security. SAFE simplifies security by
employing game theory with building blocks that are focused on threats, and the best practices for
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2015 Cisco Systems, Inc. All rights reserved
SAFE—What is It?
defending against them. It is not a perfect model; no model is. But with SAFE, you can use simple
concepts to focus on the complex challenges. You can break down the problem into building blocks that
simplify—design, build, and maintenance—with security baselined in its DNA.
The Need for SAFE
Three major security challenges exist today:
•
Complexity
Organizations have dozens of technologies that do not interoperate seamlessly. The lack of IT talent
available increases the challenge.
•
Changing Business Models
Organizations continue to leverage technology for competitive advantage, which will accelerate
change in the years to come.
•
Dynamic Threat Landscape
The attackers are not resting. As our business and technologies change, attacker techniques evolve.
The success of cybercrime has increased the threat landscape.
Security today has evolved. Classic perimeter defenses are no longer sufficient. The industry demands
an actionable model that can apply to the needs of the business, as well as provide reasonable defense
for today’s complex threats.
Defenses need to secure any user with any device, across any network, to any application. Thus, the need
for SAFE.
The Benefits
SAFE simplifies security by providing a method
Cost-effective solutions can be considered based on an assessment of threat, risk, and policy.
SAFE simplifies the discussion
SAFE bridges the gap between the executive audience and the technical audience by providing a common
language for expressing business-focused concerns. CXO-level audiences can communicate directly with
technical staff in terms that both can understand by mapping business concerns to technical solutions.
The SAFE Model is credible
Each of the SAFE logical areas has architectural discussions and laboratory-tested designs from the
brightest security minds across Cisco, its customers, and partners. SAFE’s Cisco Validated Designs address
critical security topics and have been deployed, tested, and documented for “how to do it.”
How to Use SAFE
The SAFE Model is not a single answer
SAFE provides a method for analyzing threats, risks, and policies across companies. This does not mean
that all companies are the same. Obviously, the concerns of retailers are not the same as the needs of
healthcare organizations. However, some elements are indeed identical. Every organization needs
routing, switching, and wireless, and they all use the same security capabilities to protect them. SAFE
4
The SAFE Method
provides a structure that is modular and similar across organizations. Using security best practices to
simplify the design and maintenance of the overall company, it also allows customization for different
industries.
The SAFE Method
The SAFE method ensures that business goals are measurably secured according to each company’s
security policy and risk appetite, using the following steps:
•
Identify business goals
•
Break down the network into manageable pieces.
•
Establish a criteria for the success of the business.
•
Categorize risks, threats, and policies
•
Build the security solution
The three phases of building the security solution are as follows:
1.
Capability phase—Using the business goals, risks, policies, and threats from above, justify which
security capabilities are required.
2.
Architecture phase—Using the justified capabilities, arrange them in a logical architecture.
3.
Design phase—Using the architecture, create a design that is complete with a product list,
configuration, services, and cost.
This method produces a technical bill of materials. Cost benefit analysis to the goals that were identified
above can now be assessed.
Table 1 shows the phases of the SAFE method with logical icons.
SAFE Capability Guide
5
The SAFE Method
Table 1
The SAFE Method
Example
Key
Function
The Key documents threats, risks, and policies
throughout an organization.
Organizational Model
The top security threats of an organization are
catalogued.
Unauthorized Packets
Threat
This threat is blocked by
firewalls.
Capabilities are used to describe security
functions.
Capability
Firewall
Architectures are used to logically arrange the
security capabilities.
Architecture
Firewall Capability on
a Logical Router
Designs are used to provide specific products and
services.
Design
6
4451x with Firewall
The Key
The Key
There are two parts to the Key to SAFE: “Places in the Network” and “Secure Domains.”
The Key to SAFE is shown in Figure 1. It is used to show locations and operational functions that are
commonly used to help defend them.
Figure 1
Key to SAFE
The Key is a navigational tool. It summarizes the major areas of cyber security, and each one has
additional information and detail within the SAFE program. The following sections clarify the
functional capabilities needed to address top threats in each Place in the Network (PIN) and in each
Secure Domain.
Figure 2 shows the logical relationship of any user, any client, any network, any application, and the
security capabilities used to help defend them.
SAFE Capability Guide
7
The Key
Figure 2
Security Capabilities
of Capab
n
o
i
s
s
ilitie
re
g
o
s
Pr
Policy/Configuration
Time Synchronization
Environment
Logging/Reporting
HUMAN
CLIENT
User
Device
Wired
Wireless
NETWORK
Analyze
WAN
Cloud
APPLICATION
User
Client
Network
Infrastructure
Wireless
Connection
Network
Infrastructure
Public
Cloud
Voice
Service
Conference
Bridge
Server
Load Balancer
Storage
Security
Video
Identity
Authorization
Client Security
Firewall
Mobile Device
Management
Anti-Malware
VPN Concentrator
Cloud Web
Security
Web Application
Firewall
Server-Based
Security
Posture
Assessment
Intrusion
Detection
Wireless Intrusion
Detection
Threat Intelligence
Virtual Private
Network
Web Security
Application
Visibility Control
Email Security
Intrusion
Prevention
Wireless Intrusion
Prevention
Flow Analytics
Distributed Denial
of Service
Web Reputation/
Filtering
TLS Offload
Malware
Sandbox
Shared/Management
Vulnerability
Management
Monitoring
Analysis/Correlation
Anomaly
Detection
In Figure 2, security capabilities progress from left to right to show an environment that could potentially
be under attack, have implicit risk, or be affected by policy. Advanced threats are usually a combination
of attacks across any one of the vertical columns within an organization. Each part of SAFE uses a
portion of this diagram to show how the pieces fit together from an infrastructure and operational view.
The following sections refer back to this logical relationship and how it applies to a location or function
of operations.
8
Places in the Network
Places in the Network
SAFE simplifies network security by providing solution guidance using the Places in the Network
(PINs).
PINs are locations that are commonly found in networks (see Figure 3) and conceptually represent the
infrastructure deployed in these locations. They are blueprints for the fundamentals that comprise
today’s organizations: authentication, routing, switching, wireless, firewall, intrusion detection, and so
on. Specific industry guidance for healthcare, retail, financial, and other verticals is covered in the
Secure Domains.
Figure 3
•
Branch
•
Campus
•
WAN
•
Data Center
•
Edge
•
Cloud
Places in the Network
SAFE Capability Guide
9
Places in the Network
Secure Branch
Branches are typically less secure than their campus and data center counterparts.
Economics often dictate that it is cost prohibitive to duplicate all the security
controls typically found at locations when scaling to hundreds of branches.
However, this makes branch locations prime targets and more susceptible to a
breach. In response, it is important to include vital security capabilities while
ensuring cost-effective designs in the branch.
Figure 4 shows the progression of security capabilities used to help defend against the attacks common
in a branch.
Attack Surface
Figure 4
Secure Branch
Wireless Unauthorized/
Infrastructure Malicious
Exploits Client Activity
HUMAN
CLIENT
User
Device
Wired
Wireless
NETWORK
User
Client
Network
Wireless
Connection
Client Security
Firewall
Mobile Device
Management
Anti-Malware
Posture
Assessment
Intrusion Detection
Wireless Intrusion
Detection System
Threat Intelligence
Analysis
APPLICATION
WAN
Cloud
Public
Cloud
Voice
Security
Exploitation
of Trust
Endpoint
Malware
Video
Access
Intrusion Prevention Wireless Intrusion
Prevention System
Cloud Web
Security
Virtual Private
Network (VPN)
Flow Analytics
Top Threats Mitigated in the Branch
•
Endpoint malware (POS malware)
•
Wireless infrastructure exploits (rogue AP, Man in the Middle)
•
Unauthorized/malicious client activity
•
Exploitation of trust
For a deeper discussion on Secure Branch, see www.cisco.com/go/SAFE.
10
Service
Places in the Network
Secure Campus
Campuses contain large user populations with a variety of device types and
traditionally few internal security controls. Due to the large number of security
zones (subnets and VLANs), secure segmentation is difficult. Because of the lack
of security control, visibility, and guest/partner access, campuses are prime targets
for attack.
Figure 5 shows the progression of security capabilities that are used to help defend against the attacks
common in a campus.
Attack Surface
Figure 5
Web-based
Exploits
Man-inthe-Middle
HUMAN
CLIENT
User
Device
Wired
Wireless
User
Client
Network
Wireless
Connection
Client Security
Firewall
Mobile Device
Management
Anti-Malware
Posture
Assessment
Intrusion Detection
Wireless Intrusion
Detection System
Threat Intelligence
BYOD - Larger
Attack Surface
Malware
Propagation
Security
Secure Campus
NETWORK
Analysis
APPLICATION
WAN
Cloud
Service
Conference
Bridge
Voice
Botnet
Infestation
Video
Access
Intrusion Prevention Wireless Intrusion
Prevention System
Virtual Private
Network
Flow Analytics
Top Threats Mitigated in the Campus
•
Phishing
•
Web-based exploits
•
Unauthorized network access
•
Malware propagation
•
BYOD—Larger attack surface/increased risk of data loss
•
Botnet infestation
For a deeper discussion on Secure Campus, see www.cisco.com/go/SAFE.
SAFE Capability Guide
11
Places in the Network
Secure Data Center
Data centers contain the majority of information assets and intellectual property.
These are the primary goals of all targeted attacks and thus require the highest level
of effort to secure. Data centers contain hundreds to thousands of physical and
virtual servers that are segmented by application type, data classification zone, and
other methods. Creating and managing proper security rules to control access to
(north/south) and between (east/west) resources can be exceptionally difficult.
Figure 6 shows the progression of security capabilities that are used to help defend against the attacks
common in a data center.
Secure Data Center
Unauthorized
Network
Access
Data
Extraction
Malware
Propagation
Botnet
Infestation
Security
Attack Surface
Figure 6
HUMAN
CLIENT
User
Device
User
Access
NETWORK
Wired
Wireless
Analysis
APPLICATION
WAN
Network
Cloud
Service
Conference
Bridge
Server
Load Balancer
Storage
Firewall
Anti-Malware
Web Application
Firewall
Server-Based
Security
Intrusion Detection
Threat Intelligence
Application Visibility
Control
Email Security
Intrusion Prevention
Flow Analytics
SSL/TLS Offload
Malware
Sandbox
Top Threats Mitigated in the Data Center
•
Data extraction (data loss)
•
Malware propagation
•
Unauthorized network access (application compromise)
•
Botnet infestation (scrumping) data loss, privilege escalation, reconnaissance)
For a deeper discussion on Secure Data Center, see www.cisco.com/go/SAFE.
12
Places in the Network
Secure Edge
The edge is the highest-risk PIN because it is the primary ingress point for public
traffic from the Internet and the primary egress point for corporate traffic to the
Internet. Simultaneously, it is the most critical business resource in today's
Internet-based economy.
Figure 7 shows the progression of security capabilities that are used to help defend against the attacks
common at the network edge.
Attack Surface
Figure 7
HUMAN
CLIENT
User
Device
User
NETWORK
Wired
Wireless
Analysis
Network
APPLICATION
WAN
Cloud
Service
Server
Public
Webserver
Man-inVulnerabilities the-Middle
Data Loss
Security
Secure Edge
DDoS
Access
Firewall
Anti-Malware
Intrusion Detection
Threat Intelligence
Intrusion Prevention
Flow Analytics
Load Balancer
Storage
Web Application
Firewall
Server-Based
Security
Web Security
Application
Visibility
Control
Email Security
Web Reputation/
Filtering/DCS
SSL/TLS Offload
Malware
Sandbox
VPN Concentrator
Distributed Denial of
Service Protection
Top Threats Mitigated in the Edge
•
Webserver vulnerabilities
•
Distributed denial of service (DDoS)
•
Data loss
•
Man-in-the-Middle (MitM)
For a deeper discussion on Secure Edge, see www.cisco.com/go/SAFE.
SAFE Capability Guide
13
Places in the Network
Secure Cloud
The majority of cloud security risk stems from loss of control, lack of trust, shared
access, and shadow IT. Service Level Agreements (SLAs) are the primary tool for
businesses to dictate control of security capabilities selected in cloud-powered
services. Independent certification and risk assessment audits should be used to
improve trust.
Figure 8 shows the progression of security capabilities used to help defend against the attacks common
in the cloud.
Attack Surface
Figure 8
Secure Cloud
HUMAN
CLIENT
User
Device
User
NETWORK
Wired
Wireless
Analysis
Network
APPLICATION
WAN
Cloud
Public
Cloud
Service
Server
Webserver
Man-inVulnerabilities the-Middle
Security
Virus and
Malware
Storage
Access
Anti-Malware
Cloud Web
Security
Server-Based
Security
Application Visibility
Control
Threat Intelligence
Web Reputation/
Filtering/DCS
Top Threats Mitigated in the Cloud
•
Webserver vulnerabilities
•
Loss of access
•
Virus and malware
•
Man-in-the-Middle (MitM)
For a deeper discussion on Secure Cloud, see www.cisco.com/go/SAFE.
14
Places in the Network
Secure WAN
The WAN connects all company locations together to provide a single point of
control and access to all resources. Managing security and quality of service (QoS)
policies to control communication can be exceptionally difficult and complex.
Figure 9 shows the progression of security capabilities used to help defend against the attacks common
in a WAN.
Attack Surface
Figure 9
Malware Unauthorized
Network
Propagation
Access
WAN Sniffing
Security
Secure WAN
HUMAN
CLIENT
User
Device
NETWORK
Wired
Wireless
Analysis
User
Network
Access
Firewall
Anti-Malware
Intrusion Detection
Threat Intelligence
Intrusion Prevention
Flow Analytics
APPLICATION
WAN
Cloud
Service
Man-inthe-Middle
Virtual Private
Network
Top Threats Mitigated in the WAN
•
Malware propagation
•
Unauthorized network access
•
WAN sniffing and MitM attacks
For a deeper discussion on Secure WAN, see www.cisco.com/go/SAFE.
SAFE Capability Guide
15
Secure Domains
Secure Domains
The Secure Domains represent the operational side of the Key. Operational security is divided by
function and the people in the organization that are responsible for them. Each domain has a class of
security capabilities and operational aspects that must be considered. (See Figure 10.)
Figure 10
16
SAFE Model Secure Domains
Secure Domains
Management
Management of devices and systems using centralized services is critical for consistent policy
deployment, workflow change management, and the ability to keep systems patched.
Management coordinates policies, objects, and alerting.
Figure 11 shows the progression of security capabilities used for the operations of Management.
Management Domain Capabilities
User
De
vi
ce
Policy/Configuration
Logging/Reporting
Time Synchronization
Wi r e d
Ser
vic
e
PINs
Monitoring
ud
ir e
Clo
le s
s
Vulnerability
Management
Analysis/Correlation
WA
N
W
Figure 11
Anomaly
Detection
A na
lys
is
SAFE Capability Guide
17
Secure Domains
Security Intelligence
Security Intelligence provides global detection and aggregation of emerging malware and
threats. It enables an infrastructure to enforce policy dynamically, as reputations are
augmented by the context of new threats, providing accurate and timely security protection.
Figure 12 shows the progression of security capabilities used for the operations of Security Intelligence.
Figure 12
Security Intelligence Capabilities
User
De
vi
ce
Access
Client
Security
Ser
vic
e
Email Security
Intrusion
Detection
Malware
Sandbox
Web Application
Firewall
Wi r e d
Posture
Assessment
Server-Based
Security
Application
Visibility,
Control
Intrusion
Prevention
PINs
Firewall
Wireless Intrusion
Prevention
Web Reputation/
Filtering
Mobile Device
Management
Wireless Intrusion
Detection
Distributed Denial
of Service
Threat
Intelligence
Anti-Malware
WA
N
18
Ana
ly s
is
ir e
ud
Flow Analytics
Cloud Web
Security
W
C lo
le s
s
Web Security
Secure Domains
Compliance
Compliance addresses internal and external policies. It shows how multiple controls can be
satisfied by a single solution. Examples of external compliance include PCI, HIPAA, and
Sarbanes-Oxley (SOX).
Figure 13 shows the progression of security capabilities used for Compliance.
Compliance Capabilities
User
De
vi
ce
Access
Ser
vic
e
Client
Security
Web Application
Firewall
Wi r e d
Server-Based
Security
TLS Offload
Firewall
Intrusion
Detection
PINs
s
Wireless Intrusion
Detection
ud
le s
ir e
C lo
Mobile Device
Management
W
Figure 13
Virtual Private
Network
WA
N
Ana
ly s
is
SAFE Capability Guide
19
Secure Domains
Segmentation
Segmentation establishes boundaries for data and users. Traditional manual segmentation uses
a combination of network addressing, VLANs, and firewalls for policy enforcement.
Advanced segmentation leverages identity-aware infrastructure to enforce automated and
scalable policies.
Figure 14 shows the progression of security capabilities used for Segmentation.
Figure 14
Segmentation Capabilities
User
De
vi
ce
Access
Ser
vic
e
Client
Security
Wir e d
Posture
Assessment
Server-Based
Security
Firewall
PINs
C lo
le s
s
Mobile Device
Management
W
ud
ir e
Flow Analytics
Virtual Private
Network
Threat
Intelligence
WA
N
20
Ana
ly s
is
Secure Domains
Threat Defense
Threat Defense provides visibility into the most evasive and dangerous cyber threats. Using
network traffic telemetry, reputation, and contextual information, it enables assessment of the
nature and potential risk of the suspicious activity so you can take corrective action.
Figure 15 shows the progression of security capabilities used for the operations of Threat Defense.
Threat Defense Capabilities
User
De
vi
ce
Access
Client
Security
Email Security
Ser
vic
e
Malware
Sandbox
Intrusion
Detection
Intrusion
Prevention
PINs
Firewall
Wireless Intrusion
Prevention
Mobile Device
Management
s
le s
C lo
Cloud Web
Security
ud
Flow Analytics
Wireless Intrusion
Detection
ir e
Web Application
Firewall
Server-Based
Security
Wi r e d
Posture
Assessment
Application
Visibility,
Control
W
Figure 15
Threat
Intelligence
Anti-Malware
WA
N
Ana
ly s
is
SAFE Capability Guide
21
Secure Domains
Secure Services
Secure Services provide technologies such as access control, virtual private networks, and
encryption. This domain includes protection for insecure services such as applications,
collaboration, and wireless.
Figure 16 shows the progression of security capabilities used for Secure Services.
Figure 16
Secure Services Capabilities
User
De
vi
ce
Access
Ser
vic
e
Email Security
Client
Security
Server-Based
Security
Wi r e d
Application
Visibility,
Control
Malware
Sandbox
TLS Offload
PINs
Web Application
Firewall
Clo
le s
s
Cloud Web
Security
ir e
W
ud
Virtual Private
Network
VPN Concentrator
WA
N
22
Ana
ly s
is
Under Attack with SAFE
Under Attack with SAFE
Attacks in SAFE are represented by an attack continuum, shown in Figure 17.
Figure 17
Attack Continuum in the Enterprise
The attack continuum is divided into three parts: before, during, and after an attack:
•
Before
You need to know what you are defending.
•
During
When attacks get through, you need to be able to detect them.
•
After
Once detected, you must contain the event, remediate, and bring operations back to normal.
For more information on what capability is used for each part of the attack continuum, see Table 2.
For more information on the attack continuum, reference architectures, and designs, see
www.cisco.com/go/SAFE.
SAFE Capability Guide
23
SAFE Pieces
SAFE Pieces
Capabilities describe the primary functions of a security service. Table 2 provides a definition for the
capabilities used in SAFE. The recommended products are mapped to each capability, where and when
it is used, and the top threats mitigated.
Table 2
Cisco Security Capabilities and Top Threats
Capabilities
Firewall
Segmentation
Stateful filtering
and protocol
inspection
Recommended
Products
Adaptive
Security
Appliance
Integrated
Services Router
Meraki MX
Adaptive
Security
Appliance
Places in the
Network
Secure Branch
Threat
Continuum
Before
Secure Campus
Secure Cloud
Top Threats
Unauthorized
access and
malformed
packets
Secure External
Zones
Secure Data
Center
Before
Secure Edge
Integrated
Services Router
Intrusion
Detection and
Prevention
Identification of
attacks by
signatures and
anomaly
analysis
24
Cisco
FirePOWER
Services on
Adaptive Security
Appliance
Secure Branch
Before
Secure Campus
Secure External
Zones
UCS-E Appliance
FirePOWER
Appliance
Cisco FirePOWER Secure Cloud
Services on ASA
and UCS-E
Before
FirePOWER
Services Module
or Appliance
Before
Secure Edge
Attacks using
worms, viruses,
or other
techniques
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Recommended
Products
Capabilities
Virtual Private
Network (VPN)
Encrypted
communication
tunnels
Places in the
Network
Adaptive Security Secure Branch
Appliance
Secure Campus
Integrated
Services Router
Meraki MX
Adaptive Security
Appliance
Threat
Continuum
Before
Top Threats
Easily
collecting
information
and identities
Secure Data
Center
Aggregation
Services Router
Firepower
Appliance
Adaptive Security
Appliance
Secure Cloud
External Zones
Aggregation
Services Router
AnyConnect
VPN
Concentrator
Encrypted
remote access
Access Control
+ TrustSec
Contextual
segmentation
Meraki MX
Adaptive Security
Appliance
Aggregation
Services Router
Wireless
Controller/
Catalyst Switch
Secure Edge
Before
Exposed
services and
data theft
Secure Branch
Before and
During
Data theft
through
privilege
escalation
Secure Campus
Centralized
Identity Services
Engine
Adaptive Security Secure Data
Appliance
Center
Aggregation
Services Router
Nexus/Catalyst
Switch
Adaptive Security Secure Edge
Appliance
Aggregation
Services Router
Catalyst Switch
SAFE Capability Guide
25
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Recommended
Products
Capabilities
Email Security
Messaging
integrity and
protections
Email Security
Appliance
Web Security
Internet access
integrity and
protections
Web Security
Appliance
Web
Reputation
/Filtering/SAFE
Capability
Guide tracking
against
URL-based
threats.
Web Security
Appliance
Application
Visibility
Control (AVC)
Deep packet
inspection (DPI)
of application
flows
FirePOWER
Services Module
or Appliance
Anti-Malware
Identify, block,
and analyze
malicious files
and
transmissions
Cisco Advanced
Malware
Protection for
Networks
Threat
Intelligence
Contextual
knowledge of
emerging
hazards
26
Places in the
Network
Secure Edge
Threat
Continuum
During and
After
Secure Edge
During and
After
Infiltration and
exfiltration via
HTTP
During and
After
Attacks
directing to a
malicious
URL
During and
After
Attack tools
hiding in
permitted
applications
Before, During,
and After
Malware
distribution
across
networks or
between
servers and
devices
During and
After
Zero-day
malware and
attacks
Cloud Web
Security
Secure Branch
Cloud Web
Security
Secure Edge
Secure Branch
Cloud Web
Security
Secure Branch
Secure Edge
Meraki MX
Top Threats
Infiltration and
exfiltration via
email
Cisco ASR
Secure Branch
Secure Campus
Secure Data
Center
Secure Edge
Advanced
Malware
Protection
Secure External
Zones
Cisco Collective
Security
Intelligence
Secure Branch
Cisco Talos
Security
Intelligence
Secure Campus
Secure Data
Center
Secure Edge
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Capabilities
Flow Analytics
Network traffic
metadata
identifying
security
incidents
Server-Based
Security
Security
software to
protect hosts
Recommended
Products
Places in the
Network
Threat
Continuum
Integrated
Services Router
Adaptive Security
Appliance
Wireless LAN
Controller
Catalyst Switch
Secure Branch
During and
After
Traffic,
telemetry, and
data exfiltration
from successful
attacks
Integrated
Services Router
Wireless LAN
Controller
Catalyst Switch
Secure Campus
NetFlow
Generation
Appliance
Lancope
FlowSensor
Adaptive Security
Appliance
Secure Data
Center
Cisco Advanced
Malware
Protection for
Endpoint
AnyConnect
Secure Data
Center
Before, During,
and After
Viruses or
malware
compromising
systems
Before, During,
and After
Viruses or
malware
compromising
systems
Before
Theft of
unencrypted
traffic
Secure Edge
Top Threats
Anti-Virus
(partner)
Client-Based
Security
Security
software to
protect the
clients
Cisco Advanced
Malware
Protection for
Endpoint
Secure Branch
Anti-Virus
(partner)
AnyConnect
Secure External
Zones
TLS
Encryption
Offload
Hardware
accelerated
encryption of
data services
Transport Layer
Security Offload
Technology
Partner
Secure Edge
Secure Campus
Secure Cloud
SAFE Capability Guide
27
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Recommended
Products
Places in the
Network
Threat
Continuum
Web
Application
Firewalling
Advanced
application
inspection and
monitoring
Web Application
Firewall
Technology
Partner
Secure Data
Center
Before, During,
and After
Attacks
against poorlydeveloped
applications
DDoS
Protection
Protection
against scaled
attack forms
Distributed Denial Secure Edge
of Service
Technology
Partner
Before and
During
Massively
scaled attacks
that overwhelm
services
Cloud Web
Security
Security and
control for the
distributed
enterprise
Cloud Web
Security
Before, During,
and After
Attacks from
malware,
viruses, and
malicious
URLs
Before, During,
and After
Infrastructure
access via
wireless
technology
Before and
During
Compromised
devices
connecting to
infrastructure
Capabilities
Secure Edge
Secure Branch
Meraki MX
FirePOWER URL
Cloud Web
Security
Top Threats
Secure Campus
Centralized Web
Security
Appliance
AnyConnect
Agent
28
Secure External
Zones
Wireless
Intrusion
Detection and
Protection
(WIDS/WIPS)
Detection,
location, and
mitigation of
wireless rogues
and threats.
Centralized
Secure Branch
Mobility Services
Engine
Centralized
Wireless LAN
Controller Meraki
Mobility Services
Engine Wireless
LAN Controller
Secure Campus
Mobile Device
Management
(MDM)
Endpoint access
control based
on policies
Identity Services
Engine
Secure Campus
Meraki Mobile
Device
Management
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Capabilities
Malware
Sandbox
Detonation and
analysis of file
behavior
Posture
Assessment
Client endpoint
compliance
verification and
authorization
Identity/
Authorization
Restriction of
user access to
services and
resources
Recommended
Products
Cloud Web
Security
Cisco AMP
Places in the
Network
Secure Branch
Threat
Continuum
During
Secure Data
Center
Top Threats
Polymorphic
threats
Secure Edge
AnyConnect
Agent
Secure Branch
Before and
During
Compromised
devices
connecting to
infrastructure
Before and
During
Attackers
accessing
restricted
information
Before and
During
Worm traffic
that exhibits
scanning
behavior
During and
After
Diverse and
polymorphic
attacks
Centralized
Identity Services
Engine
AnyConnect
Agent Identity
Services Engine
Identity Services
Engine
Secure Campus
Secure Branch
Secure Campus
Secure Data
Center
Secure Edge
Secure WAN
Anomaly
Detection
Indentification
of infected
hosts scanning
for other
vulnerable hosts
Analysis/
Correlation
Security event
management of
real-time
information
Cisco
FirePOWER
Services on
Adaptive
Security
Appliance
Secure Branch
Secure Campus
Secure Data
Center
Secure Edge
UCS-E Appliance Secure WAN
FirePOWER
Appliance
SIEM partner
Secure Branch
Secure Campus
Secure Data
Center
Secure Edge
Secure WAN
SAFE Capability Guide
29
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Capabilities
Policy/
Configuration
Unified
infrastructure
management and
compliance
verification
Vulnerability
Management
Continuous
scanning and
reporting of
infrastructure
Monitoring
Network traffic
inspection
Recommended
Products
Prime
Management
Suite
Places in the
Network
Secure Branch
Secure Campus
Threat
Continuum
Before and
During
Seizure of
infrastructure
or devices
Secure Data
Center
Secure Edge
Cisco
FirePOWER
Defense Center
Secure WAN
Secure Branch
Secure Campus
Before, During,
and After
Malicious
device
connected to
infrastructure
Before, During,
and After
Traffic,
telemetry, and
data
exfiltration
from
successful
attacks
Before, during,
and after
Unauthorized
network
access or
configuration
Secure Data
Center
Secure Edge
Cisco NAM
Secure WAN
Secure Branch
Cisco NGA
Secure Campus
Partner Tools
Secure Data
Center
Secure Edge
Secure WAN
Secure Branch
Logging/
Reporting
Centralized
event
information
collection
Prime
Infrastructure
Manager
Network
Infrastructure
Routing and
switching
communications
equipment
Cisco ISR
Secure WAN
Secure Branch
Cisco ASR
Secure Campus
Cisco ASA
Secure Data
Center
Lancope
StealthWatch
Partner tools
Cisco
FirePOWER
Meraki MX
Secure Campus
Secure Data
Center
Secure Edge
Before
Secure Edge
Secure WAN
Cisco Nexus
Cisco Catalyst
Load Balancing Load Balancer
Technology
Distribution of
workloads across Partner
multiple
resources
30
Top Threats
Secure Data
Center
Before
SAFE Pieces
Table 2
Cisco Security Capabilities and Top Threats (continued)
Capabilities
Wireless
Controllers and
access points
enabling mobile
connectivity
Video
Communication
endpoint
Recommended
Places in the
Products
Network
Mobility Services Secure Branch
Engine
Secure Campus
Wireless LAN
Controller
Conference
Bridge
Intermediate
coordination
point
Top Threats
Wireless Access
Points
Meraki Access
Points
Cisco
TelePresence
Cisco Unified
Voice
Communications Communications
endpoint
Storage
Information
storage on all
media types
Threat
Continuum
Before
NAS/SAN
(Partner)
Secure Branch
Before
Secure Campus
Secure Branch
Before
Secure Campus
Secure Branch
Before
Secure Campus
Secure Data
Center
Cisco Unified
Communications
All
Time
Synchronization
Device clock
calibration
Secure Edge
Secure Branch
Before
Secure Campus
Secure Data
Center
Secure Branch
Before
Secure Campus
Secure Data
Center
Secure Edge
For more information on SAFE, see www.cisco.com/go/SAFE.
SAFE Capability Guide
31
SAFE Pieces
32