D Ů V Ě Ř U J T E S I L N Ý M SourceFireNext-Generation IPS Petr Salač CCNP Security, CCNP, CICSP, CCSI #33835 petr.salac@alefnula.com
Our Customers Biggest Security Challenges Maintaining security posture with changing business models and attack vectors Continuously protecting across a dynamic threat landscape Reducing complexity and fragmentation of security solutions
Who is Sourcefire? Founded in 2001, based in Columbia, MD Security from Cloud to Core Market leader in (NG)IPS New entrant to NGFW space with strong offering Groundbreaking Advanced Malware Protection solution Innovative 52+ patents issued or pending Pioneer in IPS, context-driven security, advanced malware World-class research capability Owner of major Open Source security projects Snort, ClamAV, Razorback October 7, 2013, Cisco completed the acquisition of Sourcefire $2.7B investment in security!
Leadership The Path Up and Right Sourcefire has been a leader in the Gartner Magic Quadrant for IPS since 2006. 2013-2014 Cisco and/or its affiliates. All rights reserved. As of December 2013 Source: Gartner (December 2013) Cisco Confidential 4
Mapping Technologies to the Model A T T A C K C O N T I N U U M Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt AV FPC Log Mgmt VPN IAM Anti-Malware Forensics SIEM V I S I B I L I T Y & C O N T E X T
How it s done Attack Continuum NGFW NGIPS AMP Network Endpoint Virtual Cloud FIreSIGHT Management Center
Sourcefire Agile Security Solutions Management Center APPLIANCES VIRTUAL NEXT- GENERATION FIREWALL NEXT- GENERATION INTRUSION PREVENTION ADVANCED MALWARE PROTECTION COLLECTIVE SECURITY INTELLIGENCE CONTEXTUAL AWARENESS HOSTS VIRTUAL MOBILE APPLIANCES VIRTUAL 11
FirePOWER Benefits LCD Display Quick and easy headless configuration Connectivity Choice Change and add connectivity inline with network requirements Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments Device Stacking Scale monitoring capacity through stacking Lights Out Management Minimal operational impact 2013-2014 Cisco and/or its affiliates. All rights reserved. SSD Solid State Drive for increased reliability Hardware Acceleration For best in class throughput, security, Rack size/mbps, and price/mbps Cisco Confidential 12
Appliances Summary All appliances include: Integrated lights-out management Sourcefire acceleration technology LCD display 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Virtual Defense Center/Virtual Sensor 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Hosts Vulnerabilities Passive Discovery Services Communications Users Applications All the time In real-time
What does their traffic look like over time? What operating systems? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
View all application traffic Look for risky applications 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Geolocation for source and destination URL 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Intrusion events by impact, priority, hosts, users 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
File analysis Malware detection 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Dashboard 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Awareness Who is at the host OS & version Identified What other systems / IPs did user have, when? Server applications and version Client Applications Client Version Application Only Sourcefire delivers complete network visibility
BEFORE 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
FW integration with IPS Only a license 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Policy-Driven Visibility and Control Filter Access and Apply Protection by Application, User, and Traffic Path 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Updates from Cloud (VRT) IPS SW, vulnerabilities with platforms 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Updates from Cloud (VRT) Snort Rules 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Chaining FW with IPS and File Analysis 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Chaining FW with IPS and File Analysis 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
DURING 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
What counts with NGIPS? Context Speed Accuracy Flexibility Value 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Leadership* Class leader in detection Class leader in performance Class leader in vulnerability coverage Completely evasion free Ratings* 99% detection & protection 34 Gbps inspected throughput 60M concurrent connections $15 TCO / protected Mbps "For the past five years, Sourcefire has consistently achieved excellent results in security effectiveness based on our real-world evaluations of exploit evasions, threat block rate and protection capabilities. Vikram Phatak, CTO NSS Labs, Inc. The overall system is mature, logging all critical data necessary for forensic and compliance auditing. NSS Labs Management CAR. Ratings* 98% detection & protection 52 Gbps inspected throughput 120M concurrent connections $17 TCO / protected Mbps Leadership* Class leader in performance Class leader for TCO Class leader in sessions Completely evasion free * NSS Labs, Network IPS Product Analysis Sourcefire 3D8260 v4.10, April 2012 NSS Labs, Next-Generation Firewall Product Analysis Sourcefire February 2013 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Speed Sensor Common packet acquisition chain Scalable hardware Raw compute power Flow processors Rules scale as log n Analysis Impact analysis Contextual data at source Rich pivot interfaces Correlation Rules Remediation Services 100,000 events 5,000 events 500 events 20 events +10 events 3 events 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Security Dashboard 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Alerting Correlation User Interface Presentation engine Reporting engine SMS me only if a valid attack Remediation Rules engine services gets through to one of our Reputation Geolocation services Correlation engine services executives Anomaly Android Detection phones. Detection Engines Directory mapping Directory Services Identity Network Awareness Threat awareness User Awareness Awareness DAQ
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
By IPS Impact Flag 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
By Discovery Events 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
By Malware 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Remediation Modules 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Replicate Modules in Remediation Instances 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Definition for Remediation Instance 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Creating the Rule For DoS Mitigation 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Rule together with mitigation instance for DoS blocking 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Summary Universal Remediation Module Correlation Rule: if DoS detected Specific Remediation Instance Correlation Policy 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Summary Traffic Profile Correlation Rule: if anomaly detected Generate alert Correlation Policy 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Policy Creation 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Policy Creation 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Rule Creation 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Traffic Profile 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Enhanced High-Availability Devices directly connected via the HA Link external interfaces Clustered devices must be the same model with identical NetMods HA Link interface depends upon the potential throughput of each cluster member 60
IPv6 Awareness & Support IPv6 support is fully integrated From policies to event viewers to table views. Network discovery of IPv6 hosts User Agent, Impact Flag and rule recommendations all work with IPv6 Nmap can scan over IPv6 IPv6 discovery events can stream via estreamer 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
AFTER 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
File Type Detection: Policy 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Advanced Malware Protection Solution Dedicated FirePOWER appliance for Advanced Malware Protection with subscription ----- OR ------ Add-on subscription to any FirePOWER appliance for NGIPS Advanced Malware Protection subscription for hosts, virtual and mobile devices Complete advanced malware protection to protect networks and devices 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Dynamic Analysis: Process Overview File Detected on FirePOWER - Calculates hashes -Saves a copy if policy dictates* FirePOWER Appliance 1892y skfhsd FireSIGHT Management Hash metadata sent to AMP Cloud AMP Cloud Response: E.g. - Disposition = Unknown -Threat Score = Unknown * File is sent to VRT Services Cloud for Dynamic Analysis* (if policy dictates) 1892y skfhsd Dynamic analysis:* - Analysis queue Status - Error Status - Threat Score <optional proxy*> <optional proxy*> Sourcefire Cloud Services 2013-2014 Cisco and/or its affiliates. All rights reserved. VRT Dynamic Analysis Cloud* (Files) FireAMP Cloud (Metadata / Hashes) * = New with 5.3 Cisco Confidential 71
Finding patient 0: Trajectory analysis Look wide (AMP for Networks), look deep (AMP for Endpoints) Look wide: Network trajectory What systems were infected? When did it happen? Where is patient 0? What else did it bring in? Look Deep: Device trajectory 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Network File Trajectory The time of entry Systems infected 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Can be launched directly from dashboard 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Template created from the dashboard 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Templates can be customized or created 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Collective Security Intelligence Private & Public Threat Feeds IPS Rules Malware Protection Sourcefire Vulnerability Research Team Sandboxing Machine Learning Big Data Infrastructure Reputation Feeds Vulnerability Database Updates Sourcefire AEGIS Program Sandnets File Samples (>180,000 per day) FireAMP Community Honeypots Advanced Microsoft & Industry Disclosures SPARK Program Snort & ClamAV Open Source Communities
Děkuji za pozornost D Ů V Ě Ř U J T E S I L N Ý M