Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Transcription

1 Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

2 Your Security Challenges

3 Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats are unknown Well-financed attackers New threats emerge daily Advanced Persistence Threat Not knowing what s on your network is going to continue to be the biggest problem for most security practitioners. Marcus Ranum CSO Magazine! Dynamic networks 䕬 New and changing devices, operating systems, services, protocols, and ports 䕬 New vulnerabilities 䕬 New and changing users! Static defenses simply aren t good enough 3 䕬 To be truly effective, the IPS must adapt to dynamically changing threats and networks

4 Today s Reality Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure. Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., The Future of Information Security is Context Aware and Adaptive, May 14, 2010 Dynamic Threats! Organized attackers! Sophisticated threats! Multiple attack vectors Static Defenses! Ineffective defenses! Black box limits flexibility! Set-and-forget doesn t work 4

5 About Sourcefire

6 About Sourcefire Mission: To be the leading provider of intelligent cybersecurity solutions for the enterprise. 6! Founded in 2001 by Snort Creator, Martin Roesch, CTO! Headquarters: Columbia, MD! Focus on enterprise and government customers! Global Security Alliance ecosystem! NASDAQ: FIRE

7 Powered by Snort Global standard for Intrusion Detection and Prevention World s largest threat response community Interoperable with other security products Owned and controlled by Sourcefire, Inc. 7

8 Backed by the VRT 150+ Private & Public Threat Feeds Snort & ClamAV Community Insight Advanced Microsoft & Industry Disclosure 20,000 Malware Samples per Day Sourcefire Vulnerability Research Team (VRT) Research & Analysis Best-in-Class Threat Protection 8

9 A New Approach

10 Traditional IPS vs. Next-Generation IPS Traditional IPS Next-Generation IPS Closed & Blind Architecture Open & Customizable None or Limited Awareness Visibility & Intelligence 10 Human Intensive Automation Self Tuning & Precision

11 Next-Gen IPS Open Architecture! Powerful Engine & Rules Adaptable Custom fit to network Comprehensive coverage! Open Community Information sharing Shared protection! Protection Against Advanced Persistent Threats (APT) 11

12 Next-Gen IPS The Power of Awareness Network Know what s there, what s vulnerable, and what s under attack Application Identify change and enforce policy on hundreds of applications Behavior Detect anomalies in configuration, connections and data flow Identity Know who is doing what, with what, and where 12

13 Next-Gen IPS Highly Automated Operation! Correlate Attacks to Targets! Intelligent Event Reduction! Intelligent Tuning! Operational Efficiency! Custom Fit Security Real Time, All the Time! 13

14 How It Works

15 Security Events Must Have Context 15 Does this traffic threaten my business?

16 Intrusion Events Prioritization Impact Assessment Intrusion event Vulnerable (exploit targets known vulnerability) Possibly vulnerable (exploit targets OS and/or service) Not vulnerable (no service present) Not present (no host present) 16

17 Intelligent Correlation to the Target 3D SENSOR WINDOWS SERVER Attack Blocked Windows server vulnerable 3D SENSOR 3D SENSOR Attack Is Correlated to Targets LINUX SERVER Linux server not vulnerable Blocked Event Logged DEFENSE CENTER 3D SENSOR Latest Windows attack targets Microsoft Windows Server and Linux Server. Attacks are correlated to targets. Highpriority event generated for Windows Server target. 17

18 Automated IPS Tuning! How often does your network change?! How often do you tune your IPS?! Key Adaptive IPS capabilities include: RNA Recommended Rules Adaptive Traffic Profiles Non-Standard Port Handling Tuning g 18

19 Intelligent Anomaly Detection 3D SENSOR Abnormal Behavior Logged & Alerts Triggered 3D SENSOR DEFENSE CENTER 3D SENSOR 3D SENSOR New rogue host connects internally. Sourcefire detects new host and abnormal server behavior. Defense Center triggers alerts for IT to remediate. 19 Abnormal Behavior Detected Hosts Compromised New Asset Detected

20 Intelligent Application Violation 3D SENSOR 3D SENSOR Compliance Event Logged & User Identified DEFENSE CENTER 3D SENSOR 3D SENSOR IT & HR Contact User Security team uses compliance whitelists to detect IT policy violations. Host detected using Skype. User identified and then contacted by IT and HR. 20 P2P App Triggers Whitelist Violation

21 21 Sourcefire NG-IPS Conceptual Diagram

22 Traditional IPS vs. Next-Generation IPS Key Attributes Traditional IPS Next-Gen IPS Inline IPS & Passive IDS Modes!! Default Detection Policy!! Reports, Alerts & Dashboards!! Custom Rules! Vulnerability-based Protection! Automated Impact Assessment! Automated Tuning! Application Policy Management! Network Behavior Analysis! User Policy Management! Virtual IPS & Management Console! 22

23 Network Infrastructure Comprehensive Ecosystem SIEM / Log Management Configuration Management Incident Management 23 Vulnerability Management Systems Management

24 What Makes Sourcefire Different?! Sourcefire 3D System is powered by intelligence! Sourcefire provides full network visibility: Attacks Network targets Potential compromised targets Users attackers and victims Real-time, all-the-time, Sourcefire never sleeps! Stop Doing Things the Old Way! Try the Next Generation in Intrusion Detection & Prevention. 24

25 25 Questions?