This event had place on Thursday 29th, October at 10hrs PDT
Mason Harris is a Solutions Architect for Cisco focusing on cloud architectures with Cisco’s largest customers. He has more than 24 years of experience in information technology and is one of the few experts who holds five CCIE certifications (#5916). Prior to joining Cisco, he was the Chief Architect at cloud security startup vArmour Networks. Outside of work, Mason can be found backpacking on long trails or at home with his family.
Vivek Santuka is a Technical Solutions Architect at Cisco and a security consultant to some of Cisco’s largest customers. He has over 15 years of experience in cyber security design, implementation, and troubleshooting. Vivek is a member of multiple technical advisory groups. He holds an RHCE, CISSP, and two CCIE certifications (#17621). Vivek is a distinguished speaker at Cisco Live.
Jamie Sanbower is a Principal Architect in Cisco’s Global Security Architecture Team. Jamie is a technical leader and member of numerous advisory and working groups. With over 15 years of technical experience in the networking and security industry, Jamie has developed, designed, implemented, and operated enterprise network and security solutions for a wide variety of large clients. Jamie is a Cisco Live Distinguished Speaker and a co-author of Cisco Press books. He holds two CCIE certifications (#13637).
Aaron Woland is a Principal Engineer in Cisco’s Advanced Threat Security & Integrations group and works with Cisco’s largest customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security, and futures. He has over 20 years of experience in the IT industry. Aaron has collaborated on several Cisco Press publications and he has published many papers and design guides. Aaron is a Hall of Fame Elite Member for distinguished speakers at Cisco Live. He holds several certifications: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP, and a CCIE (#20113) among others.
You can download the slides of the presentation in PDF format here.
Q: How is automation part of the Zero Trust framework?
A: Automation is a huge part of the ZT frameworks (there are many frameworks). All the frameworks call out automation as a requirement to ensure that ZT functions occur - it could be for automation of changing the trust levels or automation of the actions.
Q: What do you think is the biggest difference between work in cybersecurity and network security?
A: [Aaron Woland] Cyber is mostly focused on the Incident responder type of position, where as the Security certs are focused more on the Ops / Admin type of role. [Vivek Santuka] Network Security is part of the larger Cyber Security realm. Network Security focuses on access control and filtering but you it is difficult to stay pure Network Security focused now days.
Q: I got the old CCNA R&S, as we know there is no CCNA Security anymore, is it ok if I study for the CCNP Security or do you recommend any other certification for an entry level like the new CCNA?
A: [Aaron Woland] I personally think CCNP Security would be the way to go if you are comfortable with CCNA R&S topics.
Q: I've been in IT for 26+ years, I got into the Cisco world with firewalls and I really like the world of Firewalls, ISE and Firepower. What Certs are recommended? What path? I have never had a certification.
A: I would definitely look at the CCNP Security then CCIE Security then!
Q: Secure Connections are in demand, Security is the future/need. There's so much to learn!
A: Security in motion and Security at rest - These are the 2 pillars of security. And yes, there is always more to learn. All of us have to learn everyday.
Q: Cisco Tetration will be part of ISE or SDN such as DNAC?
A: Unfortunately, we can't talk about roadmaps in public forums.
Q: For implementing security across an enterprise, do you think it's better to have a team with people that specialize with integrating a product (ie Firepower) or with general knowledge of the products?
A: That is a loaded question, I think it ultimately depends on the environment - but you definitely need to have more than one person who understands how each product works or you will end up in trouble.
Q: Could you give your observation between Cisco and other vendors (Fortinet) regards security
A: This is a Cisco webex session, so naturally we are going to say Cisco is the way to go.
Q: Does are topics more general/theoretic or concrete Cisco implementations/technologies?
A: Those are more related to Cisco technologies.
Q: Is cloud security handled in the virtualization section of your publications? How is this handled in the lab part of the CCIE exam?
A: Cloud Security is part of Part 3 of Volume 1. Unfortunatley, we cannot comment on how CCIE lab handles it due to NDA but an informed analysis can tell you what to expect in the closed lab environment.
Q: The remote VPN will die soon and ZT will replace it. What do the authors think about it?
A: [Aaron Woland] I think there is a nice mixture in the balance with ZT, where traffic will not terminate on the onPrem HQ but that not all traffic can go directly to the Cloud. I'm a HUGE Zero Trust guy - have been forever, so I love this topic.So, think that VPNs to a Cloud termination where traffic goes through a security stack and can make it to the corporate premise AND can go to the cloud is a right future architecture - or where things like a Duo Network Gateway (reverse-proxy technologies)are in play. There is so much here with technology like SASE that is in play, that we can talk about, I love this space and it's only growing. [vivek Santuka] Remote VPN won't die anytime soon. There will always be workload in data centers that needs to be accessed. So I see an intelligent combination of SASE/ZTNA/SDP with Remote Access VPN becoming more common.
Q: Can we expect any Video version for these editions?
A: No, we are not planning to do a video version. That will probably take 4 years to do.
Q: A new book to ISE and DevNet?
A: [Aaron Wooland] I just finished the SISE CCNP exam book for ISE, and now I think I'm finished. No more for me.. Maybe Vivek? [Vivek Santuka (Cisco)I think I am done with writing books. But I agree there needs to be more material around programmability.
Q: Last week, our team members discussed on password age (password less login is testing in progress in many complies) and the trust value of a password. Who is writing the password, is an important question. How can Zero Trust handle these questions?
A: Zero Trust can solve this by 1) Adding another factor on top of the passwords. We all now passwords are not enough. 2) By restricting access to least required when after password and 2FA is validated.
Q: What type of security track is the best now a days? Pure security, CyberOps, pen testing, etc.
A: That is a very subjective question. Meaning, it's very much up to you. The thing I love about security is that there is so much here that you can specialize in, and if you don't like what you are doing - you can change it. So, what interests you more?
Q: How do you all feel about how the field is moving toward more DevOps, more of a developer/programmer approach than over the last 20 years?
A: [Aaron Woland] Great question. There is a lot of what we like to call DevSecOps - where security needs to get closer to the application devlelopment in order to protect the data more effectively. The principles are not changing, but the location can and should shift some. It is also important to state it is in addition to, not as a replacement.. "Defense in depth.." [Vivek Santuka]I would add that the field isn't moving but expanding to include DevSecOps. It isn't new either but there is more focus on it.
Q: Do you see more of the shift being pushed to app developers to integrate on-access auth similar TACACS+ so that app access is constantly verified?
A: [Aaron Woland] I wish!!!! We need that in the industry. [Vivek Santuka] Secure App development requires that access is verified regularly. Ideally, every time a new data is requested, you should validate access. I do think we will see this happening more. In addition to that, we will also see posture check happen for app access.
Q: How do you handle learning the never-ending technology changes without driving yourself crazy? Creating a healthy work/life balance is a challenge for me.
A: [Mason Harris] Personally I enjoy learning the evolution of technology so I guess it's a personal preference. I would not be happy doing the same thing everyday year after year. [Vivek Santuka] Cisco is amazing at helping with Work/Life balance. It does depend on your employer and family a lot but I personally compartmentalize. Some days work takes priority and some days family. I look to balance it over a period of time instead of daily. [Aaron Woland] I echo Mason's statement 10000%. I would be miserable in a field that allows me to get bored
Dear Sec Team,I have a question about Remote Access VPN on ASA. I want to configure authentication for users based on Azure AD using login and password, additionally after input credentials it ask me for second auth based on MFA. I found this document:&nb...
Last month we had to update our FMC to VDB to 350 and 351, My question is could i have gone straight to 351 without going to 350 and then 351? My question is, if we were in a position where we were 2 VDB updates behind, could we just update to the la...
Hi,We currently have a pair of Cisco 4120 Chassis each running a couple of virtual FTDs and are planning on upgrading the FXOS firmware and FTDs (FMC is already at latest version). My question is regarding the FTD devices. When the Chassis FXOS is being u...
Hey guys, I have enquiries about the Cisco Security Manager. Let say currently I am running version 4.22.0 Service Pack 1 and want to upgrade to version 4.2.4. Cisco Security Manager, CSM, Security ManagementIs there any upgrade...
Hi there, Is it possible to change the sender email address for incomming content filter notify action in IronPort, other than use the System Administration -> Return Addresses, Notifications's one? i.e. I would like to create auto reply...