Next-Generation Intrusion Detection & Prevention Manuel Minzoni, Brand Manager ITWAY VAD
Today s Reality Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure. Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., The Future of Information Security is Context Aware and Adaptive, May 14, 2010 Dynamic Threats Organized attackers Sophisticated threats Multiple attack vectors Static Defenses Ineffective defenses Black box limits flexibility Set-and-forget doesn t work 5
Company Overview & Performance
Sourcefire Worldwide Locations Education & Professional Services Livonia, MI EMEA HQ Wokingham, UK Americas Sales Vienna, VA Worldwide HQ Columbia, MD Southern Europe Sales Paris, France Central Europe Sales Frankfurt, Germany Japan Sales Tokyo, Japan Asia Pacific HQ Singapore South American Sales Sao Paulo, Brazil ANZ Sales Sydney, Australia 8
9 Firemen Principles
About Sourcefire Mission: To be the leading provider of intelligent cybersecurity solutions for the enterprise. 10 Founded in 2001 by Snort Creator, Martin Roesch, CTO Headquarters: Columbia, MD Focus on enterprise and government customers Global Security Alliance ecosystem NASDAQ: FIRE
Powered by Snort Global standard for Intrusion Detection and Prevention World s largest threat response community Interoperable with other security products Owned and controlled by Sourcefire, Inc. www.snort.org 11
Backed by the VRT 150+ Private & Public Threat Feeds Snort & ClamAV Community Insight Advanced Microsoft & Industry Disclosure 20,000 Malware Samples per Day Sourcefire Vulnerability Research Team (VRT) Research & Analysis Best-in-Class Threat Protection 12
Competitor Landscape
Gartner 2010 IPS Magic Quadrant FACT: Sourcefire has been a leader in Gartner s IPS Magic Quadrant since 2006. The Magic Quadrant is copyrighted 6 December 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's 14 analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Sourcefire Insights Versus McAfee [McAfee] isn t considered widely by enterprises and channel partners as a strong network network security provider. - Gartner 2010 IPS MQ Report [ability to execute] Larger channel & support infrastructure 15 Key Sourcefire advantages: Open detection engine & rules Real-time impact assessment Automated IPS tuning Broad third-party integration Virtual IPS offerings [completeness of vision] Broader product portfolio
NSS Labs Group IPS Test Block Rate Comparison Source: Graphic used with permission by NSS Labs. Network Intrusion Prevention Systems Comparative Test Results, December 2009. 16
NSS Labs Group IPS Test Resistance to Evasion Juniper missed 60% of evasions TippingPoint missed 80% of evasions Cisco missed 100% of evasions Source: Graphic used with permission by NSS Labs. Network Intrusion Prevention Systems Comparative Test Results, December 2009. 17
Second-Annual NSS Labs IPS Group Test 18 About the Test Published December 2010 11 vendors evaluated 1,179 live exploits 75 anti-evasion test cases No cost to vendors to participate Sourcefire Test Results Recommend rating Best overall detection Best vulnerability coverage Best vendor-stated vs. actual performance No evasions
Best Overall Detection Second Straight Year! 98% 97% 95% 94% 93% 91% 85% 83% 79% 63% 43% 19 Graphic by Sourcefire, Inc. Source data from NSS Labs Network IPS 2010 Comparative Test Results.
Best Vulnerability Coverage Second Straight Year! Sourcefire Vendor 2 Vendor 3 Vendor 4 Vendor 5 Vendor 4 Vendor 6 Vendor 7 Vendor 8 Vendor 9 Vendor 10 6 Vendor 10 Vendor 11 20
Best Vendor-Stated vs. Actual Performance Second Straight Year! 180% 160% 140% 161% Sourcefire s 2G IPS achieved 3.2G for 161% of vendor-stated performance 120% 100% 80% 60% 40% 20% 0% 115% 113% 100% 81% 49% 40% 39% 100% Performance Baseline Most IPS products achieved well below vendor-stated performance claims 35% 20% 17% 3% 3% 21 Graphic by Sourcefire, Inc. Computations derived from NSS Labs Network IPS 2010 Comparative Test Results.
Anti-Evasion Testing Sourcefire Vendor 2 Vendor 3 Vendor 4 Vendor 5 Vendor 6 Vendor 7 Vendor 8 Vendor 9 Vendor 10 Vendor 11 22
IPS Solutions
Unique Solutions for Unique Markets Sourcefire IPS Portfolio Network Generalists Simplicity Security Specialists Feature Rich IPSx IPS NGIPS 24
Sourcefire IPS Solutions Portfolio 25 IPSx IPS NGIPS IPS Detection & Blocking Snort Rules & SEUs Reports, Alerts & Dashboard Policy Management Advanced Policy Mgmt. Snort Rule Editing Custom Workflows & Tables Impact Assessment Automated Tuning Host Profiles & Network Map Network Behavior Analysis Application Monitoring User Identity Tracking
Target Markets IPSx IPS NGIPS Target User Typical Deployments Key Benefits Network Admin IT Generalist Security Specialist Perimeter All All Ease of deployment Simplified mgmt. Satisfy compliance Open architecture Advanced policy mgmt. Detailed events Custom workflows Security Specialist All IPS benefits, plus: Context aware Impact assessment Automated tuning Network visibility App monitoring User identity tracking Purchase Motivations Value oriented Set and forget Regulatory compliance Best-of-breed security Granular, flexible policy Event details / analysis IPS motivations, plus: Automating key tasks Network visibility Rapid response 26
Solution Ingredients DC750x + = IPSx Sensors IPSx Solution Defense Center + = 3D Sensors IPS Solution Network Application Behavior Identity + = 3D Sensors NGIPS Solution 27 Defense Center Awareness Bundle
Appliances / 3D8000 Series
Introducing Sourcefire 3D8000 Series Speed Meets Flexibility 29
3D8000 Series Performance 3D8140 3D8250 3D8260 Model Throughput 10 Gbps 20 Gbps 40 Gbps IPS Throughput 6 Gbps 10 Gbps 20 Gbps 30
3D8000 Series Product Line 31 All 3D8000 Series chassis support lights out management, solid state drives, redundant power, and an LCD interface.
Hardware Platform Sets New Standard for Security Appliances Modular Choose number and type of ports Lower Entry Prices Expandable Add ports as needed Scalable Add processing power as needed 32
SSL Appliance
SSL Blind Spots Network and security appliances are blind to the contents of SSL-encrypted communications 34
Deployment Mode: Inbound SSL Inspection Common Control/Management Decrypted (Inspected) Non-SSL SSL The Security Stack IPS/IDS/DLP/Foren sics/siem Transparent SSL Proxy Web Browser (SSL Client) Internet/WAN Web Servers (SSL Servers) Session 1 Session 2 35
Deployment Mode: Outbound SSL Inspection The Security Stack IPS/IDS/DLP/Foren sics/siem Common Control/Management Decrypted (Inspected) Non-SSL SSL Transparent SSL Proxy Web Browser (SSL Client) Internet/WAN Web Servers (SSL Servers) SSL Proxy Session 1 Session 2 SSL Server 36
SSL Appliance Features and Benefits Feature Inbound inspection Outbound inspection Transparent proxy SSL policy enforcement Fast path capability Benefit Greater protection for internal servers from SSLbased threats Prevents enterprise data leakage Minimizes disruption to network configuration; Compatible with ALL security devices Detects invalid or unauthorized certificates; selectively inspects SSL traffic Lower latency of sensitive traffic via cut-through 37
How It Works
Intelligent Correlation to the Target 3D SENSOR WINDOWS SERVER Attack Blocked Windows server vulnerable 3D SENSOR 3D SENSOR Attack Is Correlated to Targets LINUX SERVER Linux server not vulnerable Blocked Event Logged DEFENSE CENTER 3D SENSOR Latest Windows attack targets Microsoft Windows Server and Linux Server. Attacks are correlated to targets. Highpriority event generated for Windows Server target. 44
Intelligent Anomaly Detection 3D SENSOR Abnormal Behavior Logged & Alerts Triggered 3D SENSOR DEFENSE CENTER New rogue host connects internally. Sourcefire detects new host and abnormal server behavior. Defense Center triggers alerts for IT to remediate. 45 3D SENSOR Abnormal Behavior Detected Hosts Compromised 3D SENSOR New Asset Detected IT Remediates Hosts
Intelligent Application Violation 3D SENSOR 3D SENSOR Compliance Event Logged & User Identified DEFENSE CENTER 3D SENSOR 3D SENSOR IT & HR Contact User Security team uses compliance whitelists to detect IT policy violations. Host detected using Skype. User identified and then contacted by IT and HR. 46 P2P App Triggers Whitelist Violation
Sourcefire Products & Services
Next-Generation IPS Defense Center Management Console Intrusion Prevention Awareness Technologies Networks Apps Behavior Users SSL Inspection Virtualization 49
Virtual Appliances for VMware & Xen Sourcefire Virtual 3D Sensor Identical IPS Sensor functionality Available throughputs: 5, 45, 100, 250 & 500 Mbps Sourcefire Virtual Defense Center Management Console Identical Defense Center functionality, except no Master Defense Center (MDC) mode Manages both physical and virtual IPS 3D Sensors 50
What is RNA? Sourcefire s Secret Sauce Passive network intelligence Fuels powerful IPS automation: Impact Flags Automated IPS Tuning Compliance Rules & White Lists Network Behavior Analysis Detects hundreds of operating systems and applications 51
Real-Time User Awareness (RUA) RUA gives personality to security and compliance events! Clicking on a username reveals full name, telephone number, email, and department Resolve security events more quickly when time is of the essence Integrated into all Sourcefire 3D Sensors Mapping a username to an IP address was taking us away from a backlog of other important tasks. What used to take up to an hour now takes just a second or two. Tamara Fisher, AutoTrader.com 52
Sample Sourcefire Detection Applications Hundreds of Apps, OS s & Devices! Operating Systems Network Infrastructure Consumer 53
Sourcefire Appliance Product Lines Sourcefire Defense Center Virtual Appliances DC500 Sourcefire 3D Sensor 3D500 5 Mbps 54 3D1000 45 Mbps 3D2000 100 Mbps DC1000 DC3000 3D2500 500 Mbps 3D2100 250 Mbps 3D3500 1 Gbps 3D4500 2 Gbps 3D6500 4 Gbps 3D9900 10 Gbps Sourcefire SSL Appliance
3D System 4.10 Highlights 56 Expanded Application & User Awareness Detect Facebook, Blackberry, Hotmail & more Nmap update detects 2,500+ operating systems Encrypted RUA communications Enhanced Deployment & Operation Inline IPS test mode Support for auth. SMTP gateways & web proxies Improved Third-Party Integration Direct database access for third-party reporting Support for SNMP polling Support for new Crossbeam products Improved Performance & Usability Improved GUI performance Track reviewed events by user Simpler installation of customer SSL certificates Refer to What s New in 3D System 4.10 document for more information
57 Customizable Dashboard
Comprehensive Ecosystem Network Infrastructure SIEM / Log Management Configuration Management Incident Management 58 Vulnerability Management Systems Management
Sourcefire Services I can t say enough about the guys from Support. The phone gets picked up the moment I call. They stick with an issue diligently and make sure I get what I need. No other company has given me that level of service. Robert Wagner Senior Security Architect Customer Support 24x7 phone, email, and web support Advanced hardware replacement Training & Certification Public and on-site training Sourcefire & Snort certifications Professional Services Assistance with installation and optimization Knowledge transfer and best practices 59
Why Sourcefire? Powered by Snort Driven by Awareness Best-in-Class Detection Open Architecture Highly Automated Stop Doing Things the Old Way! Try the Next Generation in Intrusion Detection & Prevention. 60
61 Questions & Next Steps