SourceFireNext-Generation IPS

Transcription

1 D Ů V Ě Ř U J T E S I L N Ý M SourceFireNext-Generation IPS Petr Salač CCNP Security, CCNP, CICSP, CCSI #33835 petr.salac@alefnula.com

2 Our Customers Biggest Security Challenges Maintaining security posture with changing business models and attack vectors Continuously protecting across a dynamic threat landscape Reducing complexity and fragmentation of security solutions

3 Who is Sourcefire? Founded in 2001, based in Columbia, MD Security from Cloud to Core Market leader in (NG)IPS New entrant to NGFW space with strong offering Groundbreaking Advanced Malware Protection solution Innovative 52+ patents issued or pending Pioneer in IPS, context-driven security, advanced malware World-class research capability Owner of major Open Source security projects Snort, ClamAV, Razorback October 7, 2013, Cisco completed the acquisition of Sourcefire $2.7B investment in security!

4 Leadership The Path Up and Right Sourcefire has been a leader in the Gartner Magic Quadrant for IPS since Cisco and/or its affiliates. All rights reserved. As of December 2013 Source: Gartner (December 2013) Cisco Confidential 4

5 Mapping Technologies to the Model A T T A C K C O N T I N U U M Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt AV FPC Log Mgmt VPN IAM Anti-Malware Forensics SIEM V I S I B I L I T Y & C O N T E X T

6 How it s done Attack Continuum NGFW NGIPS AMP Network Endpoint Virtual Cloud FIreSIGHT Management Center

7 Sourcefire Agile Security Solutions Management Center APPLIANCES VIRTUAL NEXT- GENERATION FIREWALL NEXT- GENERATION INTRUSION PREVENTION ADVANCED MALWARE PROTECTION COLLECTIVE SECURITY INTELLIGENCE CONTEXTUAL AWARENESS HOSTS VIRTUAL MOBILE APPLIANCES VIRTUAL 11

8 FirePOWER Benefits LCD Display Quick and easy headless configuration Connectivity Choice Change and add connectivity inline with network requirements Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments Device Stacking Scale monitoring capacity through stacking Lights Out Management Minimal operational impact Cisco and/or its affiliates. All rights reserved. SSD Solid State Drive for increased reliability Hardware Acceleration For best in class throughput, security, Rack size/mbps, and price/mbps Cisco Confidential 12

11 Hosts Vulnerabilities Passive Discovery Services Communications Users Applications All the time In real-time

18 Awareness Who is at the host OS & version Identified What other systems / IPs did user have, when? Server applications and version Client Applications Client Version Application Only Sourcefire delivers complete network visibility

31 Leadership* Class leader in detection Class leader in performance Class leader in vulnerability coverage Completely evasion free Ratings* 99% detection & protection 34 Gbps inspected throughput 60M concurrent connections $15 TCO / protected Mbps "For the past five years, Sourcefire has consistently achieved excellent results in security effectiveness based on our real-world evaluations of exploit evasions, threat block rate and protection capabilities. Vikram Phatak, CTO NSS Labs, Inc. The overall system is mature, logging all critical data necessary for forensic and compliance auditing. NSS Labs Management CAR. Ratings* 98% detection & protection 52 Gbps inspected throughput 120M concurrent connections $17 TCO / protected Mbps Leadership* Class leader in performance Class leader for TCO Class leader in sessions Completely evasion free * NSS Labs, Network IPS Product Analysis Sourcefire 3D8260 v4.10, April 2012 NSS Labs, Next-Generation Firewall Product Analysis Sourcefire February Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

32 Speed Sensor Common packet acquisition chain Scalable hardware Raw compute power Flow processors Rules scale as log n Analysis Impact analysis Contextual data at source Rich pivot interfaces Correlation Rules Remediation Services 100,000 events 5,000 events 500 events 20 events +10 events 3 events 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

34 Alerting Correlation User Interface Presentation engine Reporting engine SMS me only if a valid attack Remediation Rules engine services gets through to one of our Reputation Geolocation services Correlation engine services executives Anomaly Android Detection phones. Detection Engines Directory mapping Directory Services Identity Network Awareness Threat awareness User Awareness Awareness DAQ

52 Enhanced High-Availability Devices directly connected via the HA Link external interfaces Clustered devices must be the same model with identical NetMods HA Link interface depends upon the potential throughput of each cluster member 60

53 IPv6 Awareness & Support IPv6 support is fully integrated From policies to event viewers to table views. Network discovery of IPv6 hosts User Agent, Impact Flag and rule recommendations all work with IPv6 Nmap can scan over IPv6 IPv6 discovery events can stream via estreamer Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61

56 Advanced Malware Protection Solution Dedicated FirePOWER appliance for Advanced Malware Protection with subscription OR Add-on subscription to any FirePOWER appliance for NGIPS Advanced Malware Protection subscription for hosts, virtual and mobile devices Complete advanced malware protection to protect networks and devices Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70

57 Dynamic Analysis: Process Overview File Detected on FirePOWER - Calculates hashes -Saves a copy if policy dictates* FirePOWER Appliance 1892y skfhsd FireSIGHT Management Hash metadata sent to AMP Cloud AMP Cloud Response: E.g. - Disposition = Unknown -Threat Score = Unknown * File is sent to VRT Services Cloud for Dynamic Analysis* (if policy dictates) 1892y skfhsd Dynamic analysis:* - Analysis queue Status - Error Status - Threat Score <optional proxy*> <optional proxy*> Sourcefire Cloud Services Cisco and/or its affiliates. All rights reserved. VRT Dynamic Analysis Cloud* (Files) FireAMP Cloud (Metadata / Hashes) * = New with 5.3 Cisco Confidential 71

58 Finding patient 0: Trajectory analysis Look wide (AMP for Networks), look deep (AMP for Endpoints) Look wide: Network trajectory What systems were infected? When did it happen? Where is patient 0? What else did it bring in? Look Deep: Device trajectory Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73

65 Collective Security Intelligence Private & Public Threat Feeds IPS Rules Malware Protection Sourcefire Vulnerability Research Team Sandboxing Machine Learning Big Data Infrastructure Reputation Feeds Vulnerability Database Updates Sourcefire AEGIS Program Sandnets File Samples (>180,000 per day) FireAMP Community Honeypots Advanced Microsoft & Industry Disclosures SPARK Program Snort & ClamAV Open Source Communities

66 Děkuji za pozornost D Ů V Ě Ř U J T E S I L N Ý M