SOURCEFIRE PRODUCT OVERVIEW. Sourcefire 3D System. Security for the real world. Discover. Determine. Defend.

Transcription

1 SOURCEFIRE PRODUCT OVERVIEW Sourcefire 3D System Discover. Determine. Defend.

2 Discover Threat Intelligence Snort the de facto standard for intrusion prevention Sourcefire Vulnerability Research Team (VRT) seasoned industry experts providing coverage in advance of actual threats Detect and prevent spyware, worms, attacks, DoS, and more Endpoint Intelligence Passive asset discovery Targeted active scanning NETWORK SECURITY TODAY: DAUNTING, FRUSTRATING, AND NEVER-ENDING You have made quite an investment into firewall technology, antivirus packages, security software, staff, and consultants. Yet even with your best efforts, security breaches continue to threaten your revenue, reputation, and ability to adhere to regulations. Detecting and responding to attacks just at the perimeter is no longer effective or sufficient. How can you confidently and proactively protect all networks, systems, applications, data, and entry points short of blocking all traffic? You need a multi-layered, integrated process that will help you protect against threats across all vectors, all the time, in real-time. You need the Sourcefire 3D System. Asset-based business context Network Intelligence Comprehensive and persistent network discovery Network Behavior Anomaly Detection (NBAD) Network flow analysis Despite the fact that more than $20 billion was spent on security products over the last year, the threats and vulnerabilities keep coming just adding another patch won t ensure network protection. Discover. Determine. Defend. 2

3 TRUE, UNIFIED, INTRUSION PREVENTION With the Sourcefire 3D System, all of your security applications and technologies finally work together and benefit from each other s capabilities. You have a common framework for decision making and collaborative security functionality that uses rules and automation 24 hours a day, seven days a week. The Sourcefire 3D System brings together policy, behavior, rules, technology, and automation to complement the sevenstep process advocated by Gartner for true, unified, intrusion prevention: Policy definition asset inventory policies, port/protocol policies, security configuration policies At this stage, the Sourcefire 3D System helps you define IT security policies based on business needs and required access to applications, files, IP addresses, protocols, services, and more. Baseline/discovery endpoint intelligence, Network Behavior Anomaly Detection (NBAD) Here, the Sourcefire 3D System discovers context and endpoint intelligence about network components, eliminating ambiguity and dangerous assumptions so that you benefit from more accurate blocking decisions. Policy enforcement block all services not explicitly allowed Based on user-defined policies, the Sourcefire 3D System knows which protocols and services to allow or block. Updates to the IT infrastructure are implemented through change management processes. Inspection defragmentation, reassembly The Sourcefire 3D System goes beyond inspection at the network perimeter with blocking decisions that can be automated enabling inspection across the enterprise and at the core of the network seamlessly and simultaneously. Its focus at this stage includes behavioral and anomaly analysis so that suspicious targeted and internal activity can be logged, alarmed, or blocked based on its relative threat to your organization. Threat blocking signature match, protocol analysis, anomaly detection, behavior analysis At this step, the Sourcefire 3D System will contain, quarantine, or block critical threats via a myriad of techniques including dropping traffic, disrupting sessions between devices, replacing malicious content with benign content, and integrating with network devices such as firewalls, routers, and switches. Management device management, vulnerability management, compliance management The Sourcefire 3D System makes it easy to manage rule sets, filters, software updates, configurations, and changes in users, applications, and usage. Much of the policy and configuration information comes from the system s vulnerability management process. Monitoring alerts, log events, QoS/Shaping During this last step, the Sourcefire 3D System collects and logs data on attacks and blocking actions. You should be using this data to intervene, report trends, and fine tune the overall process and policies. Staying Ahead We are committed to making sure our products and technology remain on the leading edge and protect all of your online assets and network entry points all the time. Validating our commitment, various industry organizations have given us numerous awards, certifications, and recognition for our innovation and capabilities. One award, the NSS Gold award, has only been presented four other times before Sourcefire. For the first time, you can enjoy true intrusion prevention across your highly switched internal networks, as well as at the perimeter. 3 REV

4 THE SOURCEFIRE 3D SYSTEM: DISCOVER, DETERMINE, AND DEFEND "The full 3D System is the most comprehensive IPS on the market. Five out of five stars for Documentation, Ease of Use, Features, Performance, Support, Value for Money, and Overall rating. Our Best Buy Award goes to Sourcefire. SC Magazine With the Sourcefire 3D System you will: Discover risks, vulnerabilities, and threats through Sourcefire Intrusion Sensors, Sourcefire RNA (Real-Time Network Awareness), and Sourcefire Intrusion Agents. Sourcefire Intrusion Sensors use the award-winning Snort rules-based detection engine to bring you all the benefits of signature, protocol, and anomaly-based inspection methods to all of your network traffic at speeds up to 8 gigabits per second. In addition, Sourcefire RNA Sensors will passively monitor your network to deliver highly detailed, real-time profiles of all your network assets including their configuration, behavior, potential vulnerabilities, and associated changes. Determine the business impact of any risk. By tightly integrating and correlating the threat information provided by Sourcefire Intrusion Sensors and Agents with the endpoint and network intelligence provided by Sourcefire RNA Sensors, the Sourcefire Defense Center will easily prioritize the millions of security events to determine the most critical events to your business and take the appropriate actions. Defend your online assets with the ABCs of Defense Alert, Block, Correct all in real time. Send alerts through , SNMP, Syslog, and trouble ticket systems. Block attacks through firewalls, IPSs, switches, and routers. Correct the situation through patch or configuration management. DISCOVER DETERMINE DEFEND Threat Intelligence Endpoint Intelligence Network Intelligence C O R R E L A T E P R I O R I T I Z E C O M P L I A N C E Alert Block Correct Discover. Determine. Defend. 4

5 SOURCEFIRE RNA ALWAYS ON, ALWAYS ALERT Imagine being able to know that an infected laptop has joined your network right when it happens not after you have applied a patch on Friday and the infected laptop connects on Monday or when it is discovered months later by some network audit. Sourcefire RNA is like a magic eye that watches everything happening on your network. This is just one example of how Sourcefire RNA provides always on, real time visibility through passive network discovery methods similar to passive sonar. With passive network discovery, there are no required agents, superfluous traffic, or network asset disruptions. RNA provides a layer of intelligence to network monitoring that has never been seen before within the network security industry. Sourcefire RNA provides continuous visibility into: Flow data, where you can analyze traffic patterns and composition for a variety of purposes including trend analysis Network asset profiles, including IP address, OS and version, services and versions, and ports Asset behavior profiles, including traffic flow and traffic type Network profiles, including hop count, TTL parameters, and security vulnerabilities Change events for new assets, changed assets, and behaviorally anomalous assets All Internet peering points Network World This information, coupled with the RNA vulnerability database, allows you to (1) know all the possible vulnerabilities on your network in real time and (2) take the appropriate action automatically if you choose. You can use this information before and after a threat to remediate an attack as well as to tune Intrusion Sensors making them more efficient and less likely to generate false positives or false negatives. RNA Benefits at a Glance Endpoint Intelligence Know all the machines on your network all the time Easily detect on the spot if a machine begins to rebroadcast SPAM Detect spyware compromise and quickly quarantine infected machines Instantly detect new machines entering your network if policy dictates, sandbox them until clean Know if a new device is behaving maliciously despite having passed access controls to check for antivirus and firewall protection Network Intelligence Detect and shutdown illegal mail servers Detect and shutdown rogue desktop applications including desktop web servers Enforce corporate policies for P2P restrictions such as Kazaa and instant messaging Maximize network intelligence integrity The RNA Visualization Module alerts you when anomalous behavior is detected on the network. When that happens, the specific node begins to blink. Sourcefire RNA technology is deployed three different ways: as a Plug-n-Protect dedicated appliance anywhere on your network, as software on a Sourcefire Intrusion Sensor, or on other third-party servers distributed throughout your environment. 5

6 Targeted Active Scanning for Timely Endpoint Intelligence Providing endpoint and network intelligence to network security products significantly improves their capabilities and limits the obstacles to a successful deployment. Organizations deploying network security products should look for their integration with vulnerability assessment and network intelligence solutions. Gartner Through the integration with Nessus, the open source active scanning tool, the Sourcefire 3D System also enables you to take advantage of targeted active scanning with predefined flexible scanning policies that automatically respond to network change. You get the best of both scanning worlds passive and active. For example, if RNA detects that a new port has been opened on a network asset, Nessus can be triggered to inspect just that port through a surgical scan. The Nessus Scan Input Module also allows you to automatically populate your Vulnerability Database with Nessus Scan data and then maintain the data in real-time via the RNA 24x7 vulnerability feeds. Network Behavior Anomaly Detection (NBAD) Building on the innovation of its RNA technology, the Sourcefire 3D System is the first intrusion prevention system to integrate Network Behavior Anomaly Detection (NBAD) capabilities into an IPS. With a single integrated IPS, you can continually analyze packets, assets, and the flow of data over your network for increased threat and vulnerability management. This is the level of performance where we would like to see all IDS and IPS products aspire. NSS Group Administrators can track and chart a variety of host and network metrics with Advance Flow Visualization. Drilling down is easy and metrics and chart types can be changed with a simple mouse click. With NBAD, the Sourcefire 3D System continually monitors network based on rules and policies that you set. The Sourcefire 3D System then identifies and tracks anomalies such as distributed denial of service (DDoS) attacks, worms, and zero-day threats and provides an alert or takes automatic action. You set the thresholds to measure anomalous activities, customize alerts, and automate responses. With the Sourcefire 3D System, you are in a better position to quickly address and resolve threats before network performance is disrupted and customers complain. Discover. Determine. Defend. 6

7 SOURCEFIRE INTRUSION SENSORS The best prevention begins with the best detection and knowledge. With Sourcefire Intrusion Sensors, you enjoy the highest attack detection and prevention rate on the market through Snort, the world s most popular rules-based detection engine, created and managed by Sourcefire. Snort uses a rules-based language a powerful combination of signature, protocol, and anomaly-based inspection methods to examine packets at both the IP protocol and application level. You can set it to look for specific occurrences of attacks against a protocol or the conditions of an attack. By using the flexibility of the Snort rules language, you can block, contain, or quarantine critical threats with techniques such as dropping traffic, disrupting sessions between devices, or integrating with access control devices such as firewalls, routers, and switches. When deployed inline, the Sourcefire 3D System allows you to replace malicious content with benign content. The flexibility in the rules language and numerous configuration options (port density, interface types, deployment modes), allows you to easily define new ways to identify and prevent threats and enforce policies specific to your individual environment. With Sourcefire Intrusion Sensors, you get the widest range of defense blocking, replacing, alerting, or monitoring when suspicious activity is detected. You can deploy the sensors inline as an IPS or passively as an IDS. You can write your own rules or modify existing ones, and you can keep your database of rules current through automatic downloads from Sourcefire s support site. Overall, Sourcefire 3D is one of the best intrusiondetection/ intrusion-prevention products. Federal Computer Week Every organization is different, with some network traffic considered legitimate for certain firms, and threatening to others. Sourcefire Intrusion Sensors allow you to enable, disable or modify individual rules so that they are exactly appropriate for your environment and your business. Of course, you can also create custom rules, all without affecting the level of threat coverage provided to the remainder of the network. With line speeds from five megabits per second (Mbps) to eight gigabits per second (Gbps) and flexibility up to 14 or more CPU units, Sourcefire Intrusion Sensors come in a variety of capacities to meet a variety of needs. Most come with hot-swap and high availability for all main system components including power supplies, interface cards, disk drives, and processors and the industry s best latency of less than 100 microseconds. 7

8 Sourcefire Intrusion Sensor Throughput IS500 IS1000 IS2000 IS2100 IS3000 IS3800 IS5800 5Mbps 45Mbps 100Mbps 250Mbps 1Gbps 1.5Gbps up to 8Gbps SOURCEFIRE INTRUSION AGENTS TM Sourcefire Intrusion Agents allow you to do more than just detect intrusions; they enable a single Sourcefire Defense Center to aggregate event information from one or more open source Snort sensors alongside data from Sourcefire Intrusion Sensors and Sourcefire RNA Sensors. This allows: Sophisticated data analysis Comprehensive reporting Impact assessment and prioritization of events Integration with third-party tools Real-time response to actual attacks Sourcefire Intrusion Agents transmit events generated by open source Snort sensors to the Sourcefire Defense Center, where it can be tightly integrated with the network and vulnerability information provided by Sourcefire RNA Sensors to create a persistent, comprehensive view of the security events on your network. Discover. Determine. Defend. 8

9 SOURCEFIRE DEFENSE CENTER The Plug-n-Protect Sourcefire Defense Center is the brains of the 3D System. It unifies and centrally manages critical network security functions, including event monitoring, correlation, and prioritization for incident response, forensic analysis, trends analysis, and management reporting so that you can make the most of a distributed sensor infrastructure. Designed to scale to enterprise-wide deployments, Sourcefire Defense Center has the only data management solution capable of handling hundreds of millions of events for identification of long-term security trends, while also allowing in-depth forensic analysis down to the individual packet level. By tightly integrating the threat intelligence provided by Sourcefire Intrusion Sensors and Agents with the endpoint and network intelligence provided by Sourcefire RNA, Sourcefire Defense Center correlates and analyzes events in real-time to determine: The relevance of the event to your network The impact an event will have on your network If the impact is critical to your business The Sourcefire 3D System also provides greater endpoint intelligence and support for third party remediation tools in response to threats or increased data to other network security products. In addition to built-in modules for Cisco PIX and Check Point firewalls, Sourcefire can now interface with the Shavlik Patch Management System to automatically trigger the application of patches. 9

10 Sourcefire Defense Center s policy and response engine is unmatched in its power and capabilities. For the first time, you can build or customize policies that combine threat, network, and vulnerability management. Sourcefire Defense Center allows you to confidently protect your network by analyzing events in real-time and enabling automated responses according to the ABCs of Defense: Alert - automated warnings to individuals and other management systems, via messages sent using SYSLOG, , SNMP traps, or trouble tickets ensure attack warnings are addressed. Block - critical threats can not only be blocked but also contained or quarantined via techniques such as dropping traffic, disrupting sessions between devices, and integrating with network devices such as firewalls, routers, and switches. Correct - new vulnerabilities and threats can be automatically mitigated by integrating with patch or configuration management systems to apply configuration or code changes to eliminate possible exploitation. Sourcefire Defense Center includes an easy-to-use, yet extremely powerful, web-based analysis interface, for real-time forensic reporting and analysis. Customizable workflows enable you to tailor the interface to fit the way you investigate and analyze security events. In addition, you can easily create standard or customized reports in PDF, HTML, and CSV formats that can be automatically ed for easy distribution. PLUG-N-PROTECT All Sourcefire appliances come preconfigured, designed to be up and running in less than 15 minutes. No software installation is required. These Plug-n-Protect appliances come with built-in data management and hardened operating systems. The user interfaces have been designed by security engineers for security engineers. This approach enables you to jump into patch management, system integrity verification, system isolation, and custom remediation activities quickly. To start, simply connect to the network and boot. And going forward, you are assured of low overhead and the best total cost of ownership in network security. Discover. Determine. Defend. 10

11 HAVING CONTEXT MEANS SMARTER AND BETTER DECISIONS Unless tuned by knowledgeable administrators, most intrusion prevention systems have no knowledge of the true context and composition of the network they are responsible for defending. This lack of endpoint intelligence leaves intrusion technologies guessing in many areas of processing especially with regard to packet handling. The intrusion prevention systems are ripe for evasion: attackers can actually know more about the network than you, the defenders. The endpoint intelligence that the Sourcefire 3D System offers eliminates ambiguity and dangerous assumptions enabling better real-time decisions. With the endpoint and network intelligence provided by RNA, the Sourcefire 3D System has the smartest intrusion technology on the market. Relevant and non-relevant threats receive the precise priority and attention they deserve. System profiling also precisely emulates the behaviors of the target, foiling even the most sophisticated hackers once and for all. Without Sourcefire IPS is noise generator Plethora of false positives Gartner 99 out of 100 alerts mean nothing Confidence level low only small amount of threats can be safely blocked. Lack of precision. With Sourcefire IPS driving real-time defense Know that events are real Know the criticality of events Know if critical assets have been compromised Automate timeconsuming manual processes 11

12 ABOUT SNORT AND THE SOURCEFIRE VULNERABILITY RESEARCH TEAM (VRT) Open source Snort was created by Martin Roesch, the founder and Chief Technology Officer of Sourcefire. Sourcefire owns the Snort IP and manages the open source project. Over the past few years, Sourcefire has contributed increasing resources to advancing Snort into a mature, feature-rich technology that offers the most flexible and accurate threat detection and prevention available. That commitment has lead to gigabit performance capability, the integration of the Snort inline technology, portscan detection, protocol anomaly detectors, normalization and detection, documentation, and so much more. Staying Ahead of the Zotob Worm 8/12/05 - Sourcefire VRT responds to a Microsoft Windows Plug-and-Play (PnP) vulnerability announcement that came out a few days earlier issuing an advisory and releasing a number of rules to detect all attempted exploits against the PnP vulnerability. 8/14/05 - The Zotob worm is identified in the wild. 8/15/05 - After thorough analysis of the worm, Sourcefire notifies customers that rules were already in place to detect Zotob activity. 8/17/05 - Variants of Zotob as well as other attacks emerge. The VRT verifies that all are covered by original rules update. 8/19/05 - Sourcefire publishes instructions on how to leverage the power of RNA and the 3D Policy and Response engine for further Zotob detection. With over 2,000,000 downloads and 100,000+ active users, and integration into hundreds of third-party solutions, Snort has become the de facto standard for intrusion detection and prevention. Gartner has recognized the mainstream acceptance of Snort in its Open Source Hype Cycle, describing Snort as widely available, used by mainstream companies and supported by many vendors. The power and reach of Snort is due in large part to the power and reach of the Snort user community. Aside from the seasoned developers at Sourcefire, there are literally thousands of experienced users providing invaluable real-world testing of features and rules as well as a global early warning system for new threats. By leveraging the many eyeballs theory that was popularized by Eric Raymond and used to launch Linux to success in the operating system market, people in the open source Snort community worldwide can detect and respond to bugs and other security threats more quickly and efficiently than in a closed environment. Discover. Determine. Defend. 12

13 The Sourcefire Vulnerability Research Team (VRT), comprised of leading edge intrusion detection and prevention experts, works to discover, assess, and respond to the latest trends in hacking activity, intrusion attempts, and vulnerabilities. The robustness of the Snort rules language enables the VRT to write complex rules that focus on detecting any attempts to exploit an underlying vulnerability. This means you can detect new variants of known worms stay ahead of the threats without the need to update your system. Compliance Ensure compliance with policy-based alerting and reporting Automate compliance reporting ENSURING THE STRONGEST POLICY COMPLIANCE Security policies are only as effective as their monitoring and enforcement. Now you can enforce, manage, enhance, and tune your security policies based on your combined threat, network, and vulnerability management data. The policy and response engine of the Sourcefire 3D System is the first technology to give you such power and confidence. Flow data events can also be included in your compliance policy rules. With the Sourcefire 3D System, you can set security policies specifically for your network and know immediately when those policies are violated. For example, you can easily prevent unauthorized servers, P2P applications such as Kazaa, and rogue applications such as web servers running on desktops. Moreover, you can thoroughly document your organization s compliance with the Federal Information Security Management Act (FISMA), the Gramm-Leach-Bliley (GLB) Act, the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes Oxley (SOX) Act, the Security Breach Information Act (SB1386), or the Visa/MC Processing Card Industry s (PCI) Data Security Standard. In the Visa/MC PCI standard, it states we must use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. After our analysis, we were fully convinced that Sourcefire led the way. They just provided more value. BankersBank Card Services By implementing the Sourcefire solution we have protected our network better. We would also recommend this solution for added HIPAA compliance. Sourcefire provides proof that we are monitoring and protecting our systems. If there is suspicious activity on our network, we will know about it. Sisters of Charity Providence Hospitals Administrators can build powerful rules to test for a variety of traffic and connection scenarios. 13

14 ENTERPRISE NEEDS, ENTERPRISE SCALABILITY Sourcefire offers a highly scalable intrusion detection and prevention solution, which includes a built-in high performance database capable of handling millions of events in real time. This solution, the Sourcefire 3D System, provides all the threat, endpoint, and network intelligence features you need for large scale, enterprise deployments. In fact, Sourcefire received the highest score of Exceptional from Network World for scalability. The Sourcefire 3D System provides automated failover support by offering a high availability mode that allows two Defense Centers to manage the same sensor or group of sensors. In addition, this system offers dynamic load balancing across Intrusion Sensors that are deployed on the same network segment. You can easily create groups and apply common policies across the sensor group. The Sourcefire 3D System offers several levels of user-specific access, enabling you to determine exactly what access to allow, including maintenance access, data access, restricted data access, rule access, and admin access. Discover. Determine. Defend. 14

15 YOU NEED MORE THAN AN INTRUSION PREVENTION TOOL, YOU NEED AN INTRUSION PREVENTION PROCESS The days of responding to an attack when it occurs are over. Attacks don t just happen at the perimeter any more. Attacks can come from a variety of network entry points. Adding a new security product to address that threat is not the answer. Blocking all network traffic is not the answer either. You need a solution a process that will protect all network entry points, systems, applications, and data all the time. You need to protect your online assets before, during, and after an attack. To get ahead of the attacks, you have got to continually monitor, assess, and react to potential risks, hidden vulnerabilities, and suspicious behavior and anomalies. If you had to stake your career on your intrusion prevention system and level of network security protection, you would want a system that is: Comprehensive integrating threat, endpoint, and network intelligence. Perhaps you would want the one recognized as the most comprehensive and the best value IPS on the market by SC Magazine. Highly automated giving you context for smarter, better decisions and automation when you want it. Policy driven with a multi-level, integrated approach that ensures thorough compliance enforcement and documentation. Infrastructure agnostic allowing you to leverage your existing investment and not lock you into one approach. Built on a proven technology Snort, the de facto standard for intrusion detection and prevention technology, created by Sourcefire. That only leaves you with one choice the Sourcefire 3D System. 15

16 Discover. Determine. Defend. US Headquarters 9770 Patuxent Woods Drive Columbia, MD US Virginia Sales Office 8000 Towers Crescent Drive Suite 1550 Vienna, VA European Sales Office 400 Thames Valley Park Drive Thames Valley Park Reading RG6 1PT +44 (0) ABOUT SOURCEFIRE Sourcefire, Inc., the world leader in intrusion prevention, is transforming the way organizations manage and minimize network security risks with its 3D Approach - Discover, Determine, Defend - to securing real networks in real-time. The company's ground-breaking network defense system unifies intrusion and vulnerability management technologies to provide customers with the most effective network security available. Founded in 2001 by the creator of Snort, Sourcefire is headquartered in Columbia, MD and has been consistently recognized for its innovation and industry leadership by customers, media, and industry analysts alike with more than 16 awards and accolades since January 2005 alone. Most recently, the company was positioned in the Leaders Quadrant of Gartner s Magic Quadrant for Network Intrusion Prevention System Appliances report and the Sourcefire 3D System was named Best Security Solution, at the 2006 SC Magazine Awards. At work in leading Fortune 1000 and government agencies, the names Sourcefire and founder Martin Roesch have grown synonymous with innovation and intelligence in network security Sourcefire, Inc. Sourcefire, Sourcefire 3D System, Intrusion Sensor, RNA Sensor, Defense Center and Snort are trademarks or registered trademarks of Sourcefire. All rights reserved. REV