FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer
|
|
- Paul Baker
- 5 years ago
- Views:
Transcription
1
2 FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer
3 Agenda Introduction The Issue of Threats Introduction to IPS Deploying IPS Operationalise IPS Q & A
4 Objectives What will you learn in this session? Next Generation Security and IPS Fundamentals Understand the basic premise of Next-Generation Firewall and IPS Cisco NGIPS Solutions Understand what different Cisco NGIPS solutions exist and how they differ Deploying Cisco NGIPS Understand the process to select the right NGIPS solution Understand what the important considerations are when deploying NGIPS Operationalise FirePOWER NGIPS High level understanding of the process of operating FirePOWER NGIPS Sample workflow of an incident
5 Objectives What is not covered (in depth) in this session? Not covered in depth in this session, so check out: BRKSEC Firepower 9300 Deep Dive Thursday 10 Mar 4:30 PM - 6:00 PM 207 Andrew Ossipov, Principal Engineer, Cisco BRKSEC ASA and FirePOWER in ACI Thursday 10 Mar 4:30 PM - 6:00 PM 208 Goran Saradzic, Technical Marketing Engineer, Cisco BRKSEC Advanced - ASA Clustering Deep Dive Friday 11 Mar 8:45 AM - 10:45 AM 104 Andrew Ossipov, Principal Engineer, Cisco BRKSEC Troubleshooting: ASA Firepower NGFW Friday 11 Mar 2:00 PM - 4:00 PM 104 Prapanch Ramamoorthy, Engineer, Technical Services, Cisco
6 The Issue of Threats
7 What Do You Do?
8 What Does an Attacker See?
9 No Matter How Good Your Security Is
10 Introduction to IPS
11 2016 Cisco Annual Security Report
12 Introduction to IPS What is IPS?
13 Why do I need IPS Challenges come from every direction Sophisticated Attackers Complicit Users Dynamic Threats Boardroom Engagement Defenders Complex Geopolitics Misaligned Policies
14 Cisco NGIPS Solutions
15 Cisco NGIPS Solutions Next-Generation Firewall Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with Integrated Signature based IPS engine Application visibility and granular control (AVC) Identity awareness and control URL Filtering Capability to incorporate external information (feeds)
16 Cisco NGIPS Solutions Traditional IPS Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts. Typically deployed behind a Firewall or in IDS mode Typically Bump in the wire Often looks for exploits rather than vulnerabilities Often overwhelm with irrelevant events Don t give much contextual information to take action Requires high level of tuning As a result, traditional IPS Often needs additional devices to perform other related tasks Is often minimally effective or isn t used Requires massive amounts of time and resources to make it work May leave organisations exposed
17 Cisco NGIPS Solutions Next-Generation IPS Next-Generation IPS extends traditional IPS with Application awareness to enable visibility into new L7 threats and reduce the attack surface Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning Content awareness, determine different file types and whether or not those can be malicious Next-Generation IPS is often deployed as part of a Next- Generation Firewall
18 Cisco NGIPS Solutions Historical perspective Snort created Created by Martin Roesch in 1998 Snort is both a language and an engine Open source rapidly adopts and develops Snort Sourcefire founded Founded in 2001 by Martin Roesch Created a commercial version of Snort Sourcefire acquires Immunet cloud based anti-malware vendor Acquisition completed 2011 Cisco acquires Sourcefire Acquisition completed 2013 for $2,700,000,000
19 Cisco NGIPS Solutions Cisco FirePOWER NGIPS Cisco FirePOWER NGIPS/NGFW Next-Generation IPS, Firewall, and Anti-Malware Solution Supported on Firepower 7000 and 8000-series Appliances Supported on ASA5500-X and ASA5585-X Supported on Firepower 4100 and 9300 Supported in VMware ESX and AWS
20 Cisco NGIPS Solutions What does a Security Appliance offer
21 Cisco NGIPS Solutions ASA with FirePOWER Services Base Hardware and Software 5585-X Bundle SKUs with FirePOWER Services Module 5585-X Enhanced Performance Models 5500-X SKUs running FirePOWER Services Software New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control Hardware includes Application Visibility and Control (AVC) Security Subscription Services FirePOWER Services Licenses separate from ASA license IPS, URL, Advanced Malware Protection (AMP) Subscription Services One, Three, and Five Year Term Options Available via ELA Management FireSIGHT Management Centre (HW Appliance or Virtual) Cisco Security Manager (CSM) or ASDM to Manage ASA Features ASDM manages both ASA and FirePOWER Services on new ASA low/mid models
22 Cisco NGIPS Solutions ASA with FirePOWER Services Architecture ASA processes all ingress/egress packets No packets are directly process by FirePOWER except for management ) Traffic is forwarded to the FirePOWER module using a policy-map FirePOWER provides Next Generation Firewall Services ASA 5585-X with FirePOWER Services SFR Module Crypto or Regex Engine ASA Module Crypto Engine CPU Complex CPU Complex 10GE NICs 10GE NICs PORTS Fabric Switch Backplane Fabric Switch PORTS ASA Ingress FirePOWER Ingress Egress after FirePOWER Processing
23 Cisco NGIPS Solutions FirePOWER Appliances Base Hardware and Software Single-pass Architecture 8000 Series with Modular Interface Options (Netmods), including 10 and 40 Gbps Clustering support for HA Stacking Capable for increased throughput up to 60 Gbps 71x5 Series with 8 Fail-Closed SFP ports 7000 Series with build-in 1 Gbps Copper interfaces Virtual FirePOWER NGIPSv for VMware ESX(I) Security Subscription Services IPS, URL, Advanced Malware Protection (AMP) Subscription Services One- and Three- and Five-Year Term Options Available via ELA Management FireSIGHT Management Centre (HW Appliance or Virtual)
24 Cisco NGIPS Solutions FirePOWER Appliances Architecture FirePOWER Applications (NGIPS, AppID, AMP) Application/Control Plane Processing CPU L2-L7 Classification Stateful Flow Processing PKI and Bulk Cryptography Flow-based Load Balancing L2 switching / L3 Routing / NAPT L2-L4 Packet Classification Packet-based load balancing NFE NMSB Physical Interfaces Integrated Bypass Relays NetMods
25 Cisco NGIPS Solutions Comparing ASA with FirePOWER Services with FirePOWER Appliances Solution ASA with FirePOWER Services FirePOWER Appliances Form Factor Performance Deployment Use Case Packet Flow Management ASA 5500-X, 5585-X Up to 10Gbps NGIPS on a single 5585-X SSP60 Physical ASA Inline Deployment, HA, Clustering Inline and Promiscuous NGIPS and NGFW From ASA to FirePOWER Module CSM/ASDM for ASA, FMC/ASDM* for FirePOWER Services 8000, 7000 Physical and Virtual Appliances Up to 60Gbps on 8390 Physical or SPAN Deployment, HA Inline and Promiscuous NGIPS and NGFW Directly through FirePOWER Appliance Firesight Management Centre
26 Cisco NGIPS Solutions Comparing ASA with FirePOWER Services with FirePOWER Appliances Solution ASA with FirePOWER Services FirePOWER Appliances Features Multi-Context SSL Decryption VPN HA Routing Identity Bypass All ASA + Most FirePOWER features Ability to apply FirePOWER policy per context and generate reports on a per-context basis Integrated as well as external appliance Multiple remote-access and site-to-site options (IPSec, SSL) Active/Standby, Active/Active, Clustering Static, EIGRP, OSPF, BGP, RIP, Multicast SFUA AD Agent, CDA And TrustSec on ASA Module Fail-Open FirePOWER features Ability to define Security Zones and apply policy and generate reports per zone Integrated as well as external appliance Limited site-to-site IPSec support Active/Standby (Clustering) Static, OSPF, RIP SFUA, AD Agent, Passive Discovery Automatic Application Bypass, HW Bypass
27 NGIPS Solutions Pop Quiz! Q. Which devices have hardware bypass? A. FirePOWER appliances
28 Deploying Cisco NGIPS
29 IPS Deployment Cycle The Main Steps Network Security Policy Use Cases Location Connectivity Performance Availability and Scaling Management.
30 Policy Network Security Policy Outlines rules for computer network access Determines how policies are enforced Basic Architecture of the network security environment Keep malicious users, applications and traffic out Keep internal data in Attack Mitigation and Incident Response Align to business needs
31 Use Case What problem are we solving? Traditional FW 5-tuple Access Control Stateful Protocol Inspection NAT Routing VPN Remote Access Site-to-Site NAT, Routing, NGFW Application Visibility and Control User-Based Controls Filtering Web Access Encrypted Traffic Malware Trojan Horses, Rootkits,.. Scope spreading 0-days NGIPS Intrusion Detection Intrusion Prevention Encrypted Traffic Compliance Network Forensics
32 Use Case Intrusion Prevention Identify, log and/or prevent intrusion attempts All of what matters for IDS also applies to IDS The right tuning is even more important because False Positives may drop good traffic Inline deployment may have an impact on performance Often IPS is deployed as IDS, then tuned before inline deployment Contextual Visibility is key!
33 Location What Network Segment do we want to protect? Internet Edge Data Centre Branch Core Extranets Critical Network Segments
34 Location Internet Edge Enterprise s GW to Cyberspace Serves diverse building blocks Allow outbound employee traffic and inbound traffic to servers Filter outbound employee traffic Need for diversified policy protecting both DMZ and users Expected threats include (D)DoS), Intrusion attempts, application-layer attacks URL and Application filtering, IPS/IDS, SSL Decryption, Anti-malware
35 Connectivity What Interfaces are needed How Many Interfaces? Fiber or Copper? Bypass or non-bypass Interface Speed? Need for bundling Interfaces? Need for Wireless?
36 Connectivity Interface Options on ASA with FirePOWER Services H 5506-W 5508/ / /45/55 Fixed 1GE Interfaces Modular Interfaces NO NO NO NO 6 GE Copper or SFP 6 GE Copper or SFP Integrated Wireless AP NO NO YES NO NO NO Hardware Fast Path NO NO NO NO NO NO Monitor-Only Mode YES YES YES YES YES YES
37 Connectivity Interface Options on ASA with FirePOWER Services 5585 SSP10F SSP20F SSP10F SSP20F SSP40F SSP60F60 Fixed 1GE Interfaces SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE) Hardware Fast Path NO NO NO Monitor-Only Mode YES YES YES
38 Connectivity Interface Options on FirePOWER Appliances NGIPSv /8300 Modular Interfaces N.A NO 8 GE Copper or SFP * Up to 3 modules (1,10 GE) Up to 7 modules (1,10,40 GE) Monitoring Interfaces (Max) N.A Hardware Bypass NO YES YES YES YES Hardware Fast Path NO NO NO YES YES * 7115, 7125, and 7150 models only
39 Connectivity Network Modules for FirePOWER 8000 Series Integrated Bypass NetMods 1-Gbps 4-port copper 1-Gbps 4-port fiber 10-Gbps 2-port fiber SR (short-reach) 10-Gbps 2-port fiber LR (long-reach) Non-Bypass Netmods 1-Gbps 4-port copper 1-Gbps 4-port fiber 10-Gbps 4-port fiber SR (short-reach) 10-Gbps 4-port fiber (long-reach) 40-Gbps 2-port fiber SR (8200/8300 only)
40 Connectivity Pop Quiz! Q. How many monitoring interfaces does a 3D7000 have? A. 8
41 Performance How to measure and why it matters? Sizing: Which device do I need to buy? Upgrade of existing or new device? Features: What features am I going to need or want to run? Firewall, IPS, Application Control, URL, Malware? Location: Where is the device in the network? In front of a DNS only data centre with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages? Data centre looking at only internal traffic or Internet Edge looking at the wild Internet? As with all performance discussions, YOUR MILEAGE MAY VARY!!
42 Performance Determining your IPS Performance needs How does your traffic mix look like? What is your peak throughput? What Features will you need? What is your peak conn/s and max conn? How much latency is acceptable? Can we exclude traffic from inspection? Use Netflow, NBAR, AVC, ASA Stats Plan for the future!
43 Performance Throughput testing methodology Datasheets generally have some indication of performance. In most cases this includes the infamous throughput measurement. Different product spaces have different typical throughput tests. The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common. The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.
44 Performance Pop Quiz! Q. What metric does the IPS industry use to measure throughput? A. 440 Byte packet size
45 Availability and Scaling What should happen if the IPS fails Network Availability Security Availability ASA with FirePOWER Services ASA w/ Firepower Fail- Open FirePOWER Appliance - Promiscuous N.A. ASA A/S Failover FirePOWER Clustering Passive Redundancy FirePOWER Appliance Inline Automatic Application Bypass Hardware Bypass Alternate Path FirePOWER Clustering Inline FirePOWER Clustering - Switched FirePOWER Clustering - Routed
46 Availability and Scaling How to scale beyond what 1 Appliance can do? Scaling ASA with FirePOWER Services FirePOWER Appliance - Passive FirePOWER Appliance Inline N.A. Stacking Stacking Scaling + Availability ASA Clustering * Passive Clustered Stack FirePOWER Passive Appliances with Etherchannel RSPAN * Clustered Stack ASA with FirePOWER Appliances * * Can be deployed in asymmetric traffic environments
47 Scaling Stacking for FirePOWER 8000 Series 4x Stacking supported 8300, x Stacking on 8100 Series Gbps 30 Gbps 45 Gbps 60 Gbps
48 Availability and Scaling Availability and Scaling Options on FirePOWER Appliances NGIPSv /8300 FirePOWER Stacking NO NO NO YES (2) YES (4) FirePOWER Clustering NO YES YES YES YES Clustered Stacks NO NO NO YES YES Automatic Application Bypass YES YES YES YES YES Hardware Bypass NO YES YES YES YES * 7115, 7125, and 7150 models only
49 Scaling + Availability Clustering for ASA5500-X Scaling and Availability for FirePOWER Services Can be deployed in an asymmetric environment Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services Stateless load balancing by external switch Support for VPC and LACP Cluster Control Protocol/Link State-sharing between Firewalls for concerted operation and high availability Every session has a primary and secondary owner ASA ASA provides traffic symmetry to FirePOWER modules vpc ASA Cluster vpc
50 Availability and Scaling Availability and Scaling Options on ASA with FirePOWER Services H 5506-W 5508/ / /45/ X Multi-Context NO NO NO YES YES YES YES High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A A/S, A/A Clustering NO NO NO NO YES (2) YES (2) YES (16) Module Fail-Open YES YES YES YES YES YES YES Automatic Application Bypass NO NO NO NO NO NO NO
51 Scaling Quiz! Q. How many 8300 appliances are in an 8390 stack? A. 4
52 Management FireSIGHT Management Center Management Platforms: FireSIGHT Management Center, ASDM * FireSIGHT Management Center can be an appliance or a VM FireSIGHT Manager Appliances can be deployed in HA Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities * ASDM currently only manages FirePOWER Services on 5506/8/16 Model FMC Server, webbased UI ASDM On-box Form Factor VM or Appliance Runs on ASA # devices Up to Cost $ No Charge Manages Contextual Awareness and Visibility FirePOWER, FirePOWER services Detailed Event Collection Extensive Basic Reporting Extensive Basic Health Monitoring Basic: CPU, Memory ASA, FirePOWER services on select platforms Basic, no IoC or Impact Assessment Extensive
53 Management FireSIGHT Management Center Appliances * Virtual Maximum devices managed* Virtual FireSIGHT Management Center Up to 25 managed devices Event storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB ASA or FirePOWER appliances Maximum network map (hosts/users) per second (EPS) 2000/ ,000/ 50, ,000/ 150, ,000/ 300, ,000/ 600, ,000 10,000 20,000 Virtual FireSIGHT Management for 2 or 10 ASA devices only! Not upgradeable FS-VMW-2-SW-K9 FS-VMW-10-SW-K9 Max number of devices is dependent upon sensor type and event rate
54 Operationalise Cisco NGIPS
55 Operationalise NGIPS 1. Detection Capabilities 2. Implementation 3. Policies Discovery 6. Incident Handling 7. Evaluation
56 Detection Capabilities Talos Collective Security Intelligence Security Intelligence IP Reputation, URL Category Updates Malware Cloud Lookups (AMP), Sandbox, Trajectories L2/L3 Files Connection Logs, Flows File Types, File Transfers Application Definitions, App Detectors AppID Server, Client and Web Apps Vulnerability Updates, OS Definitions Firesight Discovery Hosts, Users, OS, Services, Vulnerabilities Snort Rule Updates Snort IDS/IPS Snort Rule IDs
57 Implementation Installation, Basic Configuration and Insertion into the network 1. Installation of Firepower Management Center 2. Installing FirePOWER appliance or FirePOWER Services for ASA 3. Adding FirePOWER appliance/module into Firepower Management Center 4. Apply Basic Configuration 5. Insertion into the network 6. Tuning 7. Optional: Move from Audit mode to inline mode 8. Operation
58 Policies System Policy: manages system-level settings such as audit logs, mail relay, etc Health Policy: a collection of health module settings to check the health of devices Network Discovery Policy: defines how the system collects data of network assets File Policy: used to perform AMP and file filtering Intrusion Policy: defines IPS rules to be enabled for inspection SSL Policy: defines what traffic to decrypt and how to decrypt it Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows Network Analysis Policy: govern many traffic preprocessing options, and are invoked by advanced settings in your access control policy
59 Network Discovery Policy Profiled networks
60 Access Control Policy
61 Intrusion Policy
62 Intrusion Policies What are the different Base IPS Policies? Connectivity over Security: ~ 800 Rules CVSS Score of 10 Age of Vulnerability: year before last and newer Balanced : ~ 6300 Rules CVSS Score of 9 or greater Age of Vulnerability: year before last and newer] Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit Security over Connectivity: ~ 9000 Rules CVSS Score of 8 or greater Age of Vulnerability: 2 years before last and newer Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect
63 Intrusion Policy Audit Mode Inline deployment without actually affecting traffic Disable Drop when inline when creating IPS Policy In passive deployments, the system cannot affect traffic regardless of the drop behavior will show Would have dropped when the sensor is deployed passively or when drop when inline is disabled Audit Mode
64 Network Analysis Policy
65 Event Types Connection Source, Destination, Port, User, URL, App, Proto, User Discovery OS, Client App, Service, Server, Usernames Intrusion Snort Rule ID, Impact, Source, Destination, Packet Level File Filename, File Type, Direction, Client App, Protocol Correlation White List / Black List compliance Security Intelligence IP Reputation Malware Malware Cloud Lookups, FireAMP Endpoint events Network File Trajectories Tracking of Files as they traverse the network
66 Conceptual Packet Flow to Event Type Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
67 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
68 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
69 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
70 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
71 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
72 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
73 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
74 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies
75 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies Active Directory Client
76 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies Active Directory Client
77 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies Active Directory Client
78 Discovery Features for more effective operation Host, User Discovery and Application Identification Host Profiles Impact Levels FireSIGHT Recommendations Indications of Compromise
79 Network Discovery Host discovery Application identification User discovery Identifies OS, protocols and services running on each host Reports on potential vulnerabilities present on each host based on the information it s gathered FireSIGHT can identify over 1900 unique applications using OpenAppID Includes applications that run over web services such as Facebook or LinkedIn Applications can be used as criteria for access control Monitors for user IDs transmitted as services are used Integrates with MS AD servers and ISE to authoritatively ID users Authoritative users can be used as access control criteria
80 Host Profile What have we learned? All information we know about each host we monitor Current and historic users Indications of Compromise OS, Servers, Applications Indications of Compromise Malware Detections Vulnerabilities
81 Network Discovery How is the Information used? FireSIGHT Recommendations Users information we learned about each host Automatically selection of rules that apply to your environment Impact Assessment Correlation of IPS with Impact on the Target host Indications of Compromise Tags that indicate a likely host infection has occurred FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active.
82 FireSIGHT Recommendations Automatic tuning based on your environment IPS Rule Recommendations based on what is learned from Network Discovery Associates the OS, server, applications detected with rules specific to those assets Identifies the current state of rules in your base policy and recommends and/or sets rule state changes Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets. Recommendations
83 Context comes from knowing the hosts on your network
84 Understanding Impact Flags Intrusion Source / Destination IP Host Profile [Outside Profile Range] [Host not yet profiled] Impact Flag 0 Action General info Event outside profiled networks Why Event occurred outside profiled networks Protocol (TCP/UDP) Source / Destination Port IP Address User IDs Protocols Server Side Ports 4 3 Good information host is currently not known Good information event may not have connected Previously unseen host within monitored network Relevant port not open or protocol not in use Service Snort ID IOC: Predefined Impact Client Side Ports Services Client / Server Apps Operating System Potential Vulnerabilities CVE 2 1 Worth investigation. Host exposed. Act immediately. Host vulnerable or compromised. Relevant port or protocol in use but no vuln mapped Host vulnerable to attack or showing an IOC. If you have a fully profiled network this may be a critical event!
85 Correlating Weak Signals Into Indicators Of Compromise Correlate Weak Signals into Indicators of Compromise Malware Propagation detected by NGIPS Malware Persistence actions detected by AMP for Endpoints DNS to malware site detected by NGIPS Intelligence Your Network Malware File Download detected by AMP for Content CNC Traffic detected by NGIPS
86 Order of Investigation Goal: Getting to Remediation A D B Remediation Incident Response Data Collection You ve been owned. Under Attack Research & Tuning Critical Assets Not Blocked Internal Source External Source Indication of Compromise Correlation Rules Impact 0 Impact 1 Impact 2-3 Impact 4 Dropped may vary based on corporate priority
87 Stages of Incident Handling SANS Institute Preparation Identification Containment Eradication Recovery Lessons Learned Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate Automate as many decisions or actions as possible.
88 Identify Where to Start If this is all there was then the Order of Investigation is easy. From the FMC Dashboard
89 Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer
90 What too many networks look like Some ways to choose Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) From the FMC Context Explorer Let s see what these 63 events are all about.
91 Drill into Workflow Busy event. Looks like we re getting more.
92 Investigate Host Seems active across 6 hosts. Let s drill into one.
93 Looks like Kim Ralls has a lot going on her Windows host. from multiple sources: IPS Engine File Protection AMP for Networks
94 More Information.147 Tried to send the file 5 times.107 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more?
95 Did you forget about these? Let s see if that file moved around without the IPS seeing it.
96 Yep. That file is malware We see it in the malware summary, too.
97 A lot more than the 6 file transfers and hosts the IPS engine stopped. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind.
98 Evaluation Is the IPS Deployment Effective? Initially: (Fine)tuning Continuously: Signature Updates FireSIGHT Recommendations Periodically: Vulnerability scan Penetration testing
99 Final thoughts (these are mine) Know your environment, don t look at alerts in isolation Be suspicious Think Next Generation security, not silver bullets Don t be complacent, keep challenging your environment
100 Q & A
101 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.
102 Thank you
103
Deploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Mike Mercier Consulting Systems Engineer BRKSEC-2030 Agenda Introduction to IPS Cisco NGIPS Solutions Deploying Cisco NGIPS Migrating to Firepower NGIPS Conclusion
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More informationDesign and Deployment of SourceFire NGIPS and NGFWL
Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco ASA with FirePOWER Services
Cisco ASA with FirePOWER Services TDM Thomas Jankowsky Consulting Systems Engineer May 2015 Introduction Industry s First Threat-Focused Next-Generation Firewall (NGFW) Proven Cisco ASA firewalling Industry-leading
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS
More informationThe Internet of Everything is changing Everything
The Internet of Everything is changing Everything Next Generation Security John Tzortzakakis Security Solutions Architect, Security Business Group November 2014 Threat Landscape evolution 60% of data is
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationA Deep Dive into the Firepower Manager
A Deep Dive into the Firepower Manager William Young, Security Solutions Architect willyou@cisco.com @WilliamDYoung BRKSEC-2058 Just some Security Guy William Young Security Solutions Architect, Cisco
More informationSourcefire Network Security Analytics: Finding the Needle in the Haystack
Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationImproving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015
Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015 1 Agenda Frontal Communication: Who we are? - Key points - Competencies Areas
More informationIntroduction to the Cisco Sourcefire NGIPS
Introduction to the Cisco Sourcefire NGIPS Gary Spiteri Consulting Security Engineer #clmel Are you a laugher or a liar? Problems with Traditional IPS Technology Overwhelms you with irrelevant events Doesn
More informationCisco ASA 5500-X NGFW
Cisco ASA 5500-X NGFW Sieťová ochrana pre malé a stredné podniky pred modernými hrozbami Peter Mesjar CCIE 17428, Systémový Inžinier, Cisco What are we going to talk about Problem is THREATS How today
More informationSourcefire and ThreatGrid. A new perspective on network security
Sourcefire and ThreatGrid A new perspective on network security Agenda An overview of traditional IPS solutions Next-Generation IPS Requirements Sourcefire Next-Generation IPS Advanced Malware Protection
More informationProtection - Before, During And After Attack
Advanced Malware Protection for FirePOWER TM BENEFITS Continuous detection of malware - immediately and retrospectively Inline detection of sophisticated malware that evades traditional network protections
More informationCisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017
Cisco Security Advanced Malware Protection Guillermo González Security Systems Engineer Octubre 2017 The New Security Model Attack Continuum Before During After Before Discover During Detect After Scope
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationNext Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security
Next Generation IPS and Advance Malware Protection Mahmoud Rabi Consulting Systems Engineer - Security Threat Landscape and Attack Continuum Today s Real World: Threats are evolving and evading traditional
More informationCisco ASA Next-Generation Firewall Services
Q&A Cisco ASA Next-Generation Firewall Services Q. What are Cisco ASA Next-Generation Firewall Services? A. Cisco ASA Next-Generation Firewall Services are a modular security service that extends the Cisco
More informationFirewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků
Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Jiří Tesař, CSE Security, jitesar@cisco.com CCIE #14558, SFCE #124266 Mapping Technologies to the
More informationSourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data
SEE everything in your environment LEARN by applying security intelligence to data ADAPT defenses automatically ACT in real-time Sourcefire Solutions Overview Security for the Real World Change is constant.
More informationCisco Advanced Malware Protection for Networks
Data Sheet Cisco Advanced Malware Protection for Networks Product Overview Fighting malware effectively today requires new approaches, strategies, and technologies. Cisco Advanced Malware Protection (AMP)
More informationCisco Security Exposed Through the Cyber Kill Chain
Cisco Forschung & Lehre Forum für Mecklenburg Vorpommern Cisco Security Exposed Through the Cyber Kill Chain Rene Straube CSE, Cisco Advanced Threat Solutions January, 2017 The Cisco Security Model BEFORE
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationCisco Advanced Malware Protection for Networks
Data Sheet Cisco Advanced Malware Protection for Networks Product Overview Fighting malware effectively today requires new approaches, strategies, and technologies. Cisco Advanced Malware Protection (AMP)
More informationCisco ASA with FirePOWER Services
Data Sheet Cisco ASA with FirePOWER Meet the industry s first adaptive, threat-focused next-generation firewall (NGFW) designed for a new era of threat and advanced malware protection. Cisco ASA with FirePOWER
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationCisco Firepower Thread Defence. Claudiu Boar
Cisco Firepower Thread Defence Claudiu Boar Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network
More informationIntrusion prevention systems are an important part of protecting any organisation from constantly developing threats.
Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis
More informationThreat Centric Network Security
BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationCisco Cyber Range. Paul Qiu Senior Solutions Architect
Cisco Cyber Range Paul Qiu Senior Solutions Architect Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationGlobal vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year
Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year Firepower Next Generation Firewall Subtitle goes here William Young Security Solutions Architect, Global Security Architecture Team
More informationStop Threats Before They Stop You
Stop Threats Before They Stop You Gain visibility and control as you speed time to containment of infected endpoints Andrew Peters, Sr. Manager, Security Technology Group Agenda Situation System Parts
More informationThe Internet of Everything is changing Everything
The Internet of Everything is changing Everything Intelligent Threat Defense for the Enterprise Mobility Nikos Mourtzinos, CCIE #9763 Global Security Sales Organization Changing Business Models Any Device
More informationAdvanced IPS Deployment
Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 About your Speaker Gary Halleen gary@cisco.com Technical Solutions Architect Cisco Global Security Sales Organization Oregon
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationCisco FirePOWER 8000 Series Appliances
Data Sheet Cisco FirePOWER 8000 Series Appliances Product Overview Finding a network security appliance with exactly the right throughput, interface options, and threat protection for all the different
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationChapter 1: Content Security
Chapter 1: Content Security Cisco Cloud Web Security (CWS) Cisco offers Cisco Cloud Web Security (CWS) to protect End Stations and Users devices from infection. Cisco Cloud Web Security (CWS) depends upon
More informationFirePOWER: Advanced Configuration and Tuning
FirePOWER: Advanced Configuration and Tuning Charlie Stokes Security Technical Marketing Engineer Agenda Introduction FirePOWER Appliances and Modules Before: Changes to Policy During: Changing how the
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationThe following topics describe how to manage various policies on the Firepower Management Center:
The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page
More informationCisco ASA with FirePOWER Services
Data Sheet with FirePOWER Meet the industry s first adaptive, threat-focused next-generation firewall (NGFW) designed for a new era of threat and advanced malware protection. Cisco ASA with FirePOWER delivers
More informationFully Integrated, Threat-Focused Next-Generation Firewall
Cisco Firepower NGFW Fully Integrated, Threat-Focused Next-Generation Firewall Fuat KILIÇ, fkilic@cisco.com, +905339284608 Security Consulting Systems Engineer, CCIE #21150 September 2016 Get ahead of
More informationCorrigendum 3. Tender Number: 10/ dated
(A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial
More informationFireSIGHT Virtual Installation Guide
Version 5.3.1 July 17, 2014 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File
More informationChapter 6: IPS. CCNA Security Workbook
Chapter 6: IPS Technology Brief As the awareness of cyber and network security is increasing day by day, it is very important to understand the core concepts of Intrusion Detection/Defense System (IDS)
More informationCisco Advanced Malware Protection against WannaCry
Cisco Advanced Malware Protection against WannaCry "A false sense of security is worse than a true sense of insecurity" Senad Aruc Consulting Systems Engineer Advanced Threats Group Nils Roald Advanced
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationCloud-Managed Security for Distributed Networks with Cisco Meraki MX
Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Joe Aronow, Product Architect Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationCIH
mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationAdvanced Malware Protection: A Buyer s Guide
Advanced Malware Protection: A Buyer s Guide What You Will Learn This document will identify the essential capabilities you need in an advanced malware protection solution, the key questions you should
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, on page 1 Uses for Host, Application, and User Discovery and Identity
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationThe IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.
I n t r o d u c t i o n The CCNA Security IINS exam topics have been refreshed from version 2.0 to version 3.0. This document will highlight exam topic changes between the current 640-554 IINS exam and
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationCisco Cyber Threat Defense Solution 1.0
Cisco Cyber Threat Defense Solution 1.0 Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3 of the Sourcefire 3D System. Even if you are familiar with the update process,
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even
More informationCisco ASA 5500 Series IPS Solution
Cisco ASA 5500 Series IPS Product Overview As mobile devices and Web 2.0 applications proliferate, it becomes harder to secure corporate perimeters. Traditional firewall and intrusion prevention system
More informationYes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com
Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com Endpoint Footprint Problem: TOO MANY AGENTS! Anti-Virus/Anti-Spyware agent IPSec/SSLVPN agent Host IPS/FW
More informationNew methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall
New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1 Agenda Frontal Communication: Who
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,
More informationPaloalto Networks PCNSA EXAM
Page No 1 m/ Paloalto Networks PCNSA EXAM Palo Alto Networks Certified Network Security Administrator Product: Full File For More Information: /PCNSA-dumps 2 Product Questions: 50 Version: 8.0 Question:
More informationBefore You Update: Important Notes
Before you update, familiarize yourself with the update process, the system's behavior during the update, compatibility issues, and required pre or post-update configuration changes. Caution Note Do not
More informationAby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.
Aby se z toho bezpečnostní správci nezbláznili aneb Cisco security integrace Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace Milan Habrcetl Cisco CyberSecurity Specialist Mikulov,
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationMAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER
MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER Bret Hartman Cisco / Security & Government Group Session ID: SPO1-W25 Session Classification: General Interest 1 Mobility Cloud Threat Customer centric
More informationKey Security Measures to Enable Next-Generation Data Center Transformation
Key Security Measures to Enable Next-Generation Data Center Transformation Bill McGee Senior Manager, Security Solutions Cisco Systems, Inc. Agenda Data Center Security Challenges Secure DC Strategies
More informationThreat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)
Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN) JP Vasseur, PhD - Cisco Fellow jpv@cisco.com Maik G. Seewald, CISSP Sr. Technical Lead maseewal@cisco.com June 2016 Cyber
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationBusiness Resiliency Through Superior Threat Defense
Business Resiliency Through Superior Threat Defense Firepower 2100 Series/ Cisco Identity Services Engine Andre Lambertsen, Consulting Systems Engineer ala@cisco.com Cisco Firepower NGFW Fully Integrated
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: About Security, Internet Access, and Communication
More informationNGFW Requirements for SMBs and Distributed Enterprises
White Paper NGFW Requirements for SMBs and Distributed Enterprises The Case for NGFWs for SMBs The need for threat-focused next-generation firewalls (NGFWs) that can effectively mitigate risks that traditional
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the
More informationLicensing the Firepower System
The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,
More informationCisco Cloud Security. How to Protect Business to Support Digital Transformation
Cisco Cloud Security How to Protect Business to Support Digital Transformation Dragan Novakovic Cybersecurity Consulting Systems Engineer January 2018. Security Enables Digitization Digital Disruption,
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Overview: Security, Internet Access, and Communication
More informationCisco Ransomware Defense The Ransomware Threat Is Real
Cisco Ransomware Defense The Ransomware Threat Is Real Seguridad Integrada Abril 2018 Ransomware B Malicious Software Encrypts Critical Data Demands Payment Permanent Data Loss Business Impacts Ramifications
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,
More informationOptimizing Security for Situational Awareness
Optimizing Security for Situational Awareness BRIAN KENYON McAfee Session ID: SPO1-106 Session Classification: Intermediate p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationEC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led
EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,
More informationSONICWALL SECURITY HEALTH CHECK PSO 2017
SONICWALL SECURITY HEALTH CHECK PSO 2017 Get help in fully utilizing your investment to protect your network Overview SonicWALL Security Health Check provides a customer with a comprehensive review of
More informationAutomated Response in Cyber Security SOC with Actionable Threat Intelligence
Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User
More information