The Internet of Everything is changing Everything

Transcription

1 The Internet of Everything is changing Everything

2 Next Generation Security John Tzortzakakis Security Solutions Architect, Security Business Group November 2014

3 Threat Landscape evolution 60% of data is stolen in hours 54% of breaches remain undiscovered for months 100% of companies connect to domains that host malicious files or services It is a Community that hides in plain sight avoids detection and attacks swiftly

4 Defense-in-Depth Security Alone is Not Enough Siloed Approach Increased complexity and reduced effectiveness Poor Visibility Undetected multivector and advanced threats Manual and Static Slow, manual, inefficient response

5 Building a Threat-Centric Cisco Security Architecture Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate

6 Building a Threat-Centric Cisco Security Architecture Attack Continuum BEFORE Discover Enforce NGFW VPN Harden TrustSec UTM Secure Access + Identity Services DURING Detect NGIPS Block Defend Web Security Security AFTER Scope Advanced Malware Contain Protection Remediate Network Behavior Analysis Sandboxing Visibility - Automation - Management Security Intelligence and Services 6

7 Security is more than Application Control Application Detection is NOT Security Focus on the Apps? But miss the threat Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.

8 Cisco s Next Generation Security Offerings FirePOWER NGIPS Best-of-Breed NGIPS for Advanced Threat Protection Scalability up to 60Gbps+ Application and Identity Aware Lower TCO Through Automation Embedded Advanced Malware Prevention (AMP) Class-leading advanced malware solution File reputation and sandboxing Malware Forensics reports Malware and file Retrospection Cisco AMP Everywhere ensures pervasive coverage Cisco NGFW ASA w/ FirePOWER Services Only threat-focused NGFW to cover full attack continuum Available on existing ASA-x platforms Integrated NGIPS + AMP Ultra-Granular Policies: App, Identity, Risk, Business Relevance Common Technology across all offerings Flexible Deployment Appliance Virtual Cloud

9 Introducing Industry s First Adaptive Threat-Focused NGFW Cisco ASA with FirePOWER Services Proven Cisco ASA firewalling + Industry leading NGIPS and AMP #1 Cisco Security announcement of the year! Cisco Confidential 9

10 Cisco Adaptive Security Appliance (ASA) World s most proven Stateful inspection firewall ASA Platform Built upon 15 years of security innovation Widely deployed stateful firewall in Enterprise networks Class-leading AnyConnect VPN Network-wide identity and device access policy Multiple form factors (Physical & Virtual) Ready for Next Generation Networks like Software Defined Networks (SDN), Application Centric Infrastructure (ACI), NFV architectures and Open APIs.

11 Cisco ASA with FirePOWER Services Industry s First Adaptive, Threat-Focused NGFW Features Cisco ASA firewalling combined with Sourcefire next-generation IPS Integrated threat defense over the entire attack continuum Best-in-class security intelligence, application visibility and control (AVC), and URL filtering Superior, multilayered threat protection Unprecedented network visibility Advanced malware protection Reduced cost and complexity Benefits

12 Superior Integrated & Multilayered Protection Clustering & High Availability Network Firewall Routing Switching Cisco Collective Security Intelligence Enabled Intrusion Prevention (Subscription) Application Visibility & Control FireSIGHT Analytics & Automation Cisco ASA Advanced Malware Protection (Subscription) Built-in Network Profiling WWW URL Filtering (Subscription) Identity-Policy Control & VPN Cisco ASA enterprise-class stateful firewall Granular Cisco Application Visibility and Control (AVC) Industry-leading FirePOWER nextgeneration IPS (NGIPS) Reputation- and category-based URL filtering Advanced malware protection

13 Cisco ASA with FirePOWER Services A New, Adaptive, Threat-Focused NGFW Superior Visibility Integrated Threat Defense Best-in-class, multilayered protection in a single device Full contextual awareness to eliminate gaps Automation Simplified operations and dynamic response and remediation

14 Unprecedented Network Visibility Categories FirePOWER Services Typical IPS Typical NGFW Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines

15 Cisco s Information Superiority ANY EDGE Network Internet ANY WHERE Private DC Public DC 16B Daily Web Request 93B Daily Messages 100M Endpoints Cisco Cloud Security Intelligence and Research Group Pervasive Enforcement 100TB Security Intelligence 180K Daily Malwares

16 Indications of Compromise (IoCs) IPS Events SI Events Malware Events Malware Backdoors CnC Connections Connections to Known CnC IPs Malware Detections Malware Executions Exploit Kits Admin Privilege Escalations Office/PDF/Java Compromises Dropper Infections Web App Attacks

17 Impact Assessment IMPACT FLAG ADMINISTRATOR ACTION WHY 1 Act Immediately, Vulnerable Event corresponds to vulnerability mapped to host 2 Investigate, Potentially Vulnerable Relevant port open or protocol in use, but no vuln mapped 3 Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use 4 Good to Know, Unknown Target Monitored network, but unknown host Correlates all intrusion events to an impact of the attack against the target 0 Good to Know, Unknown Network Unmonitored network

18 AMP Provides Continuous Retrospective Security Breadth of Control Points WWW Endpoints Web Network IPS Devices Telemetry Stream File Fingerprint and Metadata File and Network I/O Continuous Feed Process Information Continuous Analysis

19 Cisco FireSIGHT Management Center Demo 19

20 Cisco FireSIGHT Management Center Demo The Power of FireSIGHT

21 2014 Vendor Rating for Security: Positive So do any network security vendors understand data center and what s needed to accommodate network security? Cisco certainly does. Cisco is disrupting the advanced threat defense industry. AMP will be one of the most beneficial aspects of the [Sourcefire] acquisition. The AMP products will provide deeper capability to Cisco's role in providing secure services for the Internet of Everything (IoE). Market Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone s short list. Recognition

22 Reduced Cost and Complexity Annual Costs of IPS Maintenance Multilayered protection in a single device Highly scalable Automates security tasks Impact assessment Policy tuning User identification Integrates with thirdparty security solutions $ $ Impact Assessment of IPS Events Typical IPS Cisco s FirePOWER Next-Generation IPS collectively saves this customer $230,100 per year. $ IPS Tuning $ Next-Generation IPS $ $3.000 Linking IPS Events to Users Source: SANS

23 IDC STAP Analysis (Specialized Threat Analysis and Protection products) Reduced time for: Annual Benefits of Limiting the Impact of Malware Infections Security management: 26.4% Address and remediate security breaches: 78.2% Security audits: 49.3%

24 Start with Best-of-breed Products NSS Labs Testing Sept, 2014 NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

25 NSS Labs Breach Detection Systems Security Value Map Cisco Advanced Malware Protection (AMP) has the lowest TCO of any product tested. It is also a a leader in security effectiveness achieving detection of 99 percent of all tested attacks AMP excelled in time-todetection, catching threats faster than competing Breach Detection Systems. Source: NSS Labs 2014 Source: NSS Labs 2014

26 NSS Labs Intrusion Prevention Systems Security Value Map Based on individual and comparative testing of vendors in the IPS market Cisco* FirePOWER NGIPS leads the Security Value Map and provides the best protection possible while also leading the class in total cost of ownership. Source: NSS Labs 2012 * Formerly Sourcefire FirePOWER Sourcefire Virtual IPS Sourcefire 3D8120 Sourcefire 3D8250 Sourcefire 3D8260 Source: NSS Labs 2012

27 2014 NSS Labs NGFW Security Value Map TM Consistent, industryleading security effectiveness Strong resistance to evasion High performance above published throughput Competitive total cost of ownership

28 Cisco ASA with FirePOWER Services Base Hardware and Software New ASA 5585-X Bundle SKUs with FirePOWER Services Module New ASA 5500-X SKUs running FirePOWER Services Software FirePOWER Services Spare Module/Blade for ASA 5585-X Series Spare SSD SKU for upgrading existing ASA 5500-X FirePOWER Services Software Hardware includes Application Visibility and Control (AVC) Management FireSIGHT Management Center (HW Appliance or Virtual) Cisco Security Manager (CSM) or ASDM Support SmartNET Software Application Support plus Upgrades

29 Five Subscription Packages to Choose From for Each Appliance AVC is part of the default offering AMP 1 & 3 year terms SMARTnet is ordered separately with the appliance URL IPS URL IPS URL IPS AMP IPS NGFW Packages NGIPS Packages Cisco ASA - Stateful Firewall Licenses

30 Performance and Deployment Options

31 Cisco ASA Multi-scale Performance Security for the Internet Edge 1 Gbps Max 100K Connections 10,000 CPS 1.2 Gbps Max 250K Connections 15,000 CPS 2 Gbps Max 500K Connections 20,000 CPS ASA 5525-X 3 Gbps Max 750K Connections 30,000 CPS ASA 5545-X 4 Gbps Max 1M Connections 50,000 CPS ASA 5555-X ASA 5512-X Branch Locations ASA 5515-X Small / Medium Internet Edge

32 Cisco ASA Multi-scale Performance Security for the Enterprise and Data Center ASA 5585-SSP10 4 Gbps Max 1 Million Connections 50,000 CPS ASA 5585-SSP20 10 Gbps Max 2 Million Connections 125,000 CPS ASA 5585-SSP40 20 Gbps Max 4 Million Connections 200,000 CPS Enterprise Internet Edge and Data Center ASA 5585-SSP60 40 Gbps Max 10 Million Connections 360,000 CPS

33 Performance Impacts by Location NGFW Performance Impact Factors Direct Different traffic types Different average packet Sizes Indirect Physical Placement Amount of traffic to be inspected Level of malicious traffic Level of analysis and logging Firewall max throughput numbers tend to be based on non-helpful packet sizes (UDP 1518 byte packet size is fairly common) IPS performance range is much more variable than firewalls, and partly because of industry choice (TCP 440 byte HTTP is fairly common) Multi-features devices must somehow provide useful, accurate performance numbers

34 Location Specific Traffic Profiles When deploying FirePOWER Services for ASA, the traffic profiles at the location can impact the performance of the device differently than standard test methods. Educational, ISP, and SMB protocol mixes have a slight impact Enterprise applications and Enterprise Datacenter have a greater impact

35 FirePOWER Services for ASA Data Sheet FirePOWER Services for ASA will include both a maximum throughput number as well as a TCP 440 Byte HTTP number more relevant for sizing. Model 5512-X 5515-X 5525-X 5545-X 5555-X Maximum Application Control Throughput in Mbps Maximum Application Control and IPS Throughput in Mbps Application Control or IPS Sizing Throughput in Mbps (440 Byte HTTP)

36 FirePOWER Services vs. ASA Classic IPS IPS-only test comparing throughput of FirePOWER Services for ASA to the classic IPS only module. Tested using the same 440 byte HTTP Transactional test that was the benchmark for classic IPS FirePOWER Services On ASA Classic IPS on ASA

37 Upgrading from ASA Classic IPS to FirePOWER Services for ASA When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity. Model 5512-X 5515-X 5525-X 5545-X 5555-X Original IPS Module FirePOWER IPS + AVC FirePOWER IPS + AVC + AMP

38 Investment Protection: Pay as you Grow Horizontal Scaling FW MAX Throughput: 640 Gbps FW+FirePOWER IPS Maximum Throughput: 160+ Gbps FirePOWER IPS 440 Byte Throughput: 96 Gbps Up to 16 ASA 5585-X Devices

39 FirePOWER Services Support All Current ASA Deployment Models* Clustering for linear scalability Up to 16x ASA in cluster Eliminates Asymmetrical traffic issues Each FirePOWER Services module inspects traffic independently Multi-context mode for policy flexibility Each ASA Interface appears as a separate interface to FirePOWER Services module Allows for granular policy enforcement on both ASA and FirePOWER services *State sharing does not occur between FirePOWER Services Modules HA for increased redundancy Redundancy and state sharing (A/S & A/A pair) L2 and L3 designs

40 Features - Packet Flow

41 Functional Distribution of Features URL Category/Reputation NGIPS Application Visibility and Control Advanced Malware Protection File Type filtering File capture FirePOWER Services TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation *Botnet Traffic Filter NAT Routing ACL VPN Termination ASA

42 Packet Processing Order of Operations ASA Module processes all ingress packets against ACL, Connection tables, Normalization and CBAC before traffic is forwarded to the FirePOWER Services module ASA provides flow normalization and context-aware selection/filtering to the FirePOWER Services Clustered ASA provides flow symmetry and HA to the FirePOWER Services Packets and flows are not dropped by FirePOWER Services Packets are marked for Drop or Drop with Reset and sent back to ASA This allow the ASA to clear the connection from the state tables and send resets if needed Yes RX Pkt Ingress Interface Existing Conn No NAT Rule ACL Permit DROP Yes No Inspection Sec Checks DROP No NAT IP Header No MPF Yes Original IP Session metadata FirePOWER Services Module TX Pkt L2 Addr Yes L3 Route Yes Egress Interface No No No DROP DROP DROP

43 ASA 5585-X Data Port Utilization ASA SSP processes all ingress and egress packets No packets are directly processed by FirePOWER SSP ports except for the FirePOWER SSP management port. ASA configures and controls the FirePOWER SSP data ports SFR-SSP Module Signature Engine CPU Complex PORTS Fabric Switch ASA-SSP Module Mezzanine Slot CPU Complex Fabric Switch ASA5585-X PORTS

44 ASA 5500-X Data Port Utilization ASA OS processes all ingress and egress packets No packets are directly processed by FirePOWER Services Backplane communication between ASA and FirePOWER Services Traffic is dropped at ASA OS Level ASA KVM ASA OS SFR S/W Module Firewall Services Memory Based Packet Rings ASA5500-X Mid-Range PORTS

45 Management

46 Managing Cisco ASA FirePOWER Services Two Managers with Cross-launch Cisco FireSIGHT Management Center Models: 750, 1500, 3500, Virtual Appliance (Promo PID available) Cisco Security Manager (CSM) or ASDM CSM version 4.7

47 ASA Single Device Manager Device Dashboard Firewall Dashboard FireSIGHT* Traffic Reports *Roadmap

48 FirePOWER & FireSIGHT benefits Enhanced Visibility 1,800+ Applications + stats File types, transfer direction/protocol Mobile Device type, OS, version Geolocation (country, postcode, time zone, lat/long., ISP, etc.) IPv6 address support throughout Improved UI/Admin Visual Device Management Security and Network Admin Roles Admin Role Editor Dashboards/Reporting Customizable Widgets Graphical Reports Report Creator

49 FirePOWER & FireSIGHT benefits Expanded Controls Application Control on NGIPS URL Filtering File Blocking Security Intelligence / IP Blacklisting Geolocation Blocking (in v5.3) Security Automation Impact Assessment Recommended Rules Advanced Malware Protection Network File Trajectory Network Malware Blocking

50 FireSIGHT Management Center Models Virtual Max. Devices Managed Event Storage Virtual FireSIGHT Management Center Up to GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB Managed Devices Max. Network Map (hosts / users) Events per Sec (EPS) 2K/2K 50K/50K 150K/150K 300K/300K 600K/600K * Max number of devices is dependent upon sensor type and event rate Virtual FireSIGHT Management Center offerings limited to 2 or 10 Managed Devices FS-VMW-2-SW-K9 FS-VMW-10-SW-K9

51 Cisco Security Manager Multi-Device Management Centralized, Unified and comprehensive Firewall, VPN and IPS management Device View Policy View Map View Event View Device View Policy View Map View Event View Report CiscoView Public

52 Cisco Security Manager At-a-Glance Policy Comprehensive Policy Management for FW, VPN & IPS on heterogeneous devices (ASA, Cisco classic IPS, FWSM, PIX, ISR/ASR) API Cisco Security Manager Log Log Management Firewall (Syslogs) and Cisco classic IPS (SDEE) events Health & Performance Monitoring for ASA and Cisco classic IPS Reports for Firewall and Cisco classic IPS Devices Image Management for ASA and Cisco classic IPS Image Reports API for Policy Access Supports hundreds of devices in a single deployment Network Health Windows Based: Appliance Form factor and also available as a Software Installable

53 FireSIGHT Management Center Cross-launch Menu CSM Client FMC WEB UI Crosslaunches directly to FMC without prompting for login and navigates to dashboard of device in context

54 Enhance with Cisco Security Services Advisory Integration Managed Custom Threat Intelligence Integration Services Managed Threat Defense Technical Security Assessments Security Optimization Services Remote Managed Services

55 Cisco Services Portfolio Assessments Deployment Architecture and Design Migration Program Strategy Optimization Product Support Managed Security Hosted Security

56 FirePOWER Services New Capabilities Save File Content Policy Control Safe Retrieval File Detection Custom Apps SHA256 Dynamic Analysis File Threat Scores Block by Threat Score Threat Summary Execution Reports 3rd Party Response Forensics Block Source Block Destination Country Continent Prioritize Response Discover infected hosts Correlates data from all engines Endpoint and Network working together

57 Thank you