Deploying Next Generation Firewall with ASA and Firepower services

Deploying Next Generation Firewall with ASA and Firepower services Dragan Novaković Security Consulting Systems Engineer March 2015.

Threat Landscape Demands more than Application Control 60% of data is stolen in hours 54% of breaches remain undiscovered for months 100% of companies connect to domains that host malicious files or services It is a Community that hides in plain sight avoids detection and attacks swiftly Cisco Confidential 2

Defense-in-Depth Security Alone Is Not Enough Siloed Approach Poor Visibility Manual and Static Increased complexity and reduced effectiveness Undetected multivector and advanced threats Slow, manual inefficient response Cisco Confidential 3

Why?

Cisco Confidential 5 5

The Configuration Problem Poor awareness of true operational environment Change to environment requiring configuration/posture changes unrecognized Detection content unavailable 0-day No anomaly detection mechanisms in place Cisco Confidential 6 6

The Organizational Problem False positive rates too high Operator overload due to mass of equally meaningless events that must be contextualized Frequently technologies are deployed but not properly operationalized Check-box security In 2014, the average cost of an organizational data breach was US$3.5 million Source: The Ponemon Institute Cisco Confidential 7 7

Integrated Threat Defense Across the Attack Continuum Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall/VPN NGIPS Advanced Malware Protection Granular App Control Security Intelligence Retrospective Security Modern Threat Control Web Security IoCs/Incident Response Visibility and Automation Cisco Confidential 8

What is Sourcefire? From a historical perspective Snort Created Created by Martin Roesch in 1998 Open source network intrusion system Engine Rules Language Sourcefire Founded Founded in 2001 by Martin Roesch Created a commercial version of Snort Sourcefire acquires Immunet Acquisition completed 2011 Advanced Malware Protection ClamAV Cisco acquires Sourcefire Acquisition completed 2013 Cisco Confidential 9

What is Sourcefire? From a product perspective Sourcefire IPS/NGFW IPS powered by Snort Includes NGFW features such as URL filtering and Application Visibility and Control Sensors are controlled and monitored by FireSIGHT Defense Center (on premises) AMP for Endpoints Agent installed on each endpoint Endpoints connected to off-premises cloud for has lookups, sandboxing Managed by FIreAMP Console (cloud based) Cisco products Content: ESA, WSA, CWS Network: ASA Cisco Confidential 10

Addressing The Configuration Problem Visibility Architecture Collect context about the operational environment Continuously in real-time Visibility data is used to recommend configuration of security infrastructure Real-time notifications of change to drive real-time change in security posture Content Rapid development and dissemination of updated detection is a fundamental Vendor Security operations teams Cisco Confidential 11

Addressing The Organizational Problem Contextualization Event loads are high due to misconfiguration Even when well tuned, raw events must be contextualized automatically when possible Operationalization That s your job Engagement from corporate boards is crucial in setting security priorities and expectations Boards need to know what the cybersecurity risks to the business are and their potential impact CIOs must ask tough questions about security controls that are meaningful to the board and outline the business implications Cisco Confidential 12 12

Introducing Industry s First Threat-Focused NGFW Proven Cisco ASA firewalling Industry leading NGIPS and AMP Cisco ASA with FirePOWER Services Integrating defense layers helps organizations get the best visibility Enable dynamic controls to automatically adapt #1 Cisco Security announcement of the year! Protect against advanced threats across the entire attack continuum Cisco Confidential 13

Introducing ASA with FirePOWER services ASA 5585-X SSP-60 (40 Gbps) ASA 5585 X SSP-40 ASA 5585-X SSP-20 ASA 5585-X SSP-10 ASA 5545-X ASA 5555-X ASA 5515-X ASA 5525-X ASA 5512-X FirePOWER Software module *requires SSD disk FirePOWER Hardware module Cisco Confidential 14

Superior Integrated & Multilayered Protection Cisco Collective Security Intelligence Enabled World s most widely deployed, enterpriseclass ASA stateful firewall Clustering & High Availability Network Firewall Routing Switching Intrusion Prevention (Subscription) Application Visibility & Control FireSIGHT Analytics & Automation Cisco ASA Advanced Malware Protection (Subscription) Built-in Network Profiling WWW URL Filtering (Subscription) Identity-Policy Control & VPN Granular Cisco Application Visibility and Control (AVC) Industry-leading FirePOWER next-generation IPS (NGIPS) Reputation- and category-based URL filtering Advanced malware protection Cisco Confidential 15

Visibility Is the Key T h r e a t s h i d d e n i n p l a i n s i g h t Cisco Confidential 16

Central Management, Intelligence and Context FireSIGHT Management Centre Processes events FireSIGHT Central Management Policy Definition Event Analysis Correlation Network Map (Users, devices, apps, etc) Generates events - IPS - Intelligence - File - Malware - Access Control - Flow - Discovery FirePOWER Realtime traffic analysis Access Control Passive acquisition Cisco Confidential 17

FireSiGHT Management Centre SecOPS Workflows -FireSIGHT Management Center FireSIGHT NGFW/NGIPS Management Forensics / Log Management Network AMP / Trajectory Vulnerability Management Incident Control System Adaptive Security Policy Retrospective Analysis Correlated SIEM Eventing Network-Wide / Client Visibility Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines Cisco Confidential 18

FireSIGHT Fuels Automation IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% Automated Tuning Adjust IPS policies automatically based on network change User Identification Associate users with security and compliance events Cisco Confidential 19 19

Impact Assessment Correlates all intrusion events to an impact of the attack against the target Impact Flag Administrator Action Why 1 Act immediately, vulnerable Event corresponds to vulnerability mapped to host 2 Investigate, potentially vulnerable Relevant port open or protocol in use, but no vuln mapped 3 Good to know, currently not vulnerable Relevant port not open or protocol not in use 4 Good to know, unknown target Monitored network, but unknown host 0 Good to know, unknown network Unmonitored network Cisco Confidential 20

Cisco FireSIGHT Fuels Automation Impact Assessment and Recommended Rules Automate Routine Tasks Cisco Confidential 21

FireSIGHT : Detecting Anomalies Detects if new application appears or traffic profile changes Identify Hacked Hosts Useful in static environments: Scada, DMZ, MEDTEC... Reduced Risk and Cost ssh ALERT Host has suddenly started to use SSH client and outgoing traffic volume has increased by 3 Cisco Confidential 22

FireSIGHT : Automated Responses Use pre-defined or custom script to initiate automatic actions E.g, Quarantine device with ISE API Reduced Risk and Cost change VLAN or SGT I S E Indications Of Compromise - IPS event impact 1 - Malware - Communication with BOTNET QUARANTINE Cisco Confidential 23

Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Context and Threat Correlation Context and Threat Correlation Dynamic Security Control Priority 1 Priority 2 Multi-vector Correlation Priority 3 Retrospective Security Impact Assessment Cisco Confidential 24

Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Context and Threat Correlation Dynamic Security Control Dynamic Security Control Multi-vector Correlation http:// WWW WEB http:// WWW WWW Retrospective Security Adapt Policy to Risks Cisco Confidential 25

Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Context and Threat Correlation Multi-vector Correlation Dynamic Security Control Admin Request 5 IoCs Host A Multi-vector Correlation Mail PDF Admin Request Mail PDF 3 IoCs Host B Retrospective Security Early Warning for Advanced Threats Host C Cisco Confidential 26

Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Context and Threat Correlation Retrospective Security Dynamic Security Control Multi-vector Correlation Retrospective Security Shrink Time between Detection and Cure Cisco Confidential 27

OpenAppID First OSS Application and Control OpenAppID Language Documentation o Accelerate the identification and protection for new clouddelivered applications Special Snort engine with OpenAppID preprocessor o Detect apps on network o Report usage stats o Block apps by policy o Snort rule language extensions to enable app specification o Append App Name to IPS events Available now at Snort.org Library of Open App ID Detectors o Over 1000 new detectors to use with Snort preprocessor o Extendable sample detectors Cisco Confidential 28

Reduced Cost and Complexity $144,000 Annual Costs of IPS Maintenance Cisco s FirePOWER Next-Generation IPS collectively saves this customer $230,100 per year Multilayered protection in a single device Highly scalable Automates security tasks Impact assessment $72,000 $59,400 $24,300 $18,000 $3,000 Impact Assessment of IPS Events IPS Tuning Linking IPS Events to Users Typical IPS Next-Generation IPS Policy tuning User identification Integrates with third-party security solutions Cisco Confidential 29

Indications of Compromise (IoCs) IPS Events Malware Backdoors Exploit Kits Web App Attacks CnC Connections Admin Privilege Escalations SI Events Connections to Known CnC IPs Malware Events Malware Detections Office/PDF/Java Compromises Malware Executions Dropper Infections Cisco Confidential 30

AMP Provides Continuous Retrospective Security Breadth of Control Points Email Endpoints WWW Web Network IPS Devices Telemetry Stream Continuous Analysis File Fingerprint and Metadata File and Network I/O Process Information Continuous Feed 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Cisco Confidential 31

The Cisco Collective Security 8 hours after thelearned first attack, At thecloud same time, a device with has An unknown fileintelligence is present the Malware endpoint triesato re-enter the FireAMP connector this file is malicious and on IP: 10.4.10.183, having At 10:57, the unknown file is thethe system Seven hours later file istothrough reacts to retrospective event retrospective event is fororiginal been The filefrom is copied yetthe a raisedthe from downloaded IP 10.4.10.183 to IP: then fourth transferred to(10.5.60.66) aimmediately third point of entry butstops is recognized and and Firefox device all four devices immediately. 10.5.11.8 device (10.3.4.51) using an the newly detected and blocked. through thequarantines same SMB SMB applicationmalware application a half hour later Cisco Confidential 32

Sample Solution Architecture with Management Configuration (policy) File Trajectory AMP Events Correlation FireSIGHT Management Center Link to AMP Public Cloud for Endpoint Connector Events Cisco Security Manager or ASDM VRT Dynamic Analysis Cloud File Submitted for Dynamic Analysis ASA Cluster with FirePOWER Services Manual Dynamic Analysis for Endpoint Connectors File Disposition queried against AMP Cloud (SHA256, Spero) AMP Cloud Endpoint Connectors Cisco Confidential 33

ASA FirePOWER Services Packet Flow SFR YES 1 2 3 4 5 6 Receive PKT Ingress Interface Existing Conn ACL Match NO Permit YES Xlate YES Inspections sec checks NO NO NO DROP DROP DROP 7 8 9 10 11 NAT IP Header Egress Interface L3 Route YES L2 Addr YES XMIT PKT NO NO DROP DROP 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

ASA FirePOWER Functional Distribution URL Category/Reputation NGIPS Application Visibility and Control Advanced Malware Protection File Type Filtering File Capture FirePOWER Services Module TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet Traffic Filter NAT Routing ACL VPN Termination ASA Module 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

FireSIGHT Management Center Appliances New 750 1500 2000 3500 4000 Virtual New Max. Devices Managed* Event Storage 10 35 70 150 300 Virtual FireSIGHT Management Center Up to 25 Managed Devices 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB Max. Network Map (hosts / users) Events per Sec (EPS) 2K/2K 50K/50K 150K/150K 300K/300K 600K/600K 2000 6000 12000 10000 20000 New Virtual FireSIGHT Management Center Up to 2 or 10 Managed Devices - Promotional PID FS-VMW-2-SW-K9 FS-VMW-10-SW-K9 2014 Cisco and/or its affiliates. All rights reserved. * Max number of devices is dependent upon sensor type and event rate Cisco Public 36

Collective Security Intelligence Malware Protection Reputation Feeds IPS Rules Cisco Talos (Talos Security Intelligence and Research Group) Vulnerability Database Updates Sandboxing Machine Learning Big Data Infrastructure Private and Public Threat Feeds Sandnets File Samples (>1.1 Million per Day) FireAMP Community Honeypots Sourcefire AEGIS Program Advanced Microsoft and Industry Disclosures SPARK Program Snort and ClamAV Open Source Communities Cisco Confidential 37

Robust Partner Ecosystem Vulnerability Management Custom Detection Full Packet Capture NAC Incident Response BEFORE Policy and Control DURING Identification and Block AFTER Analysis and Remediation Network Access Taps Infrastructure & Mobility Visualization SIEM Combined API Framework 38 Cisco Confidential 38

Only Cisco Delivers Unmatched Visibility Consistent Control Advanced Threat Protection Complexity Reduction Global Intelligence With the Right Context Consistent Policies Across the Network and Data Center Detects and Stops Advanced Threats Fits and Adapts to Changing Business Models Cisco Confidential 39

Cisco ASA with FirePOWER Services A New, Adaptive, Threat-Focused NGFW Integrated Threat Defense Best-in-class, multilayered protection in a single device Superior Visibility Full contextual awareness to eliminate gaps Automation Simplified operations and dynamic response and remediation Cisco Confidential 40

Thank you.