FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

Size: px
Start display at page:

Download "FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer"

Transcription

1

2 FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

3 Agenda Introduction The Issue of Threats Introduction to IPS Deploying IPS Operationalise IPS Q & A

4 Objectives What will you learn in this session? Next Generation Security and IPS Fundamentals Understand the basic premise of Next-Generation Firewall and IPS Cisco NGIPS Solutions Understand what different Cisco NGIPS solutions exist and how they differ Deploying Cisco NGIPS Understand the process to select the right NGIPS solution Understand what the important considerations are when deploying NGIPS Operationalise FirePOWER NGIPS High level understanding of the process of operating FirePOWER NGIPS Sample workflow of an incident

5 Objectives What is not covered (in depth) in this session? Not covered in depth in this session, so check out: BRKSEC Firepower 9300 Deep Dive Thursday 10 Mar 4:30 PM - 6:00 PM 207 Andrew Ossipov, Principal Engineer, Cisco BRKSEC ASA and FirePOWER in ACI Thursday 10 Mar 4:30 PM - 6:00 PM 208 Goran Saradzic, Technical Marketing Engineer, Cisco BRKSEC Advanced - ASA Clustering Deep Dive Friday 11 Mar 8:45 AM - 10:45 AM 104 Andrew Ossipov, Principal Engineer, Cisco BRKSEC Troubleshooting: ASA Firepower NGFW Friday 11 Mar 2:00 PM - 4:00 PM 104 Prapanch Ramamoorthy, Engineer, Technical Services, Cisco

6 The Issue of Threats

7 What Do You Do?

8 What Does an Attacker See?

9 No Matter How Good Your Security Is

10 Introduction to IPS

11 2016 Cisco Annual Security Report

12 Introduction to IPS What is IPS?

13 Why do I need IPS Challenges come from every direction Sophisticated Attackers Complicit Users Dynamic Threats Boardroom Engagement Defenders Complex Geopolitics Misaligned Policies

14 Cisco NGIPS Solutions

15 Cisco NGIPS Solutions Next-Generation Firewall Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with Integrated Signature based IPS engine Application visibility and granular control (AVC) Identity awareness and control URL Filtering Capability to incorporate external information (feeds)

16 Cisco NGIPS Solutions Traditional IPS Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts. Typically deployed behind a Firewall or in IDS mode Typically Bump in the wire Often looks for exploits rather than vulnerabilities Often overwhelm with irrelevant events Don t give much contextual information to take action Requires high level of tuning As a result, traditional IPS Often needs additional devices to perform other related tasks Is often minimally effective or isn t used Requires massive amounts of time and resources to make it work May leave organisations exposed

17 Cisco NGIPS Solutions Next-Generation IPS Next-Generation IPS extends traditional IPS with Application awareness to enable visibility into new L7 threats and reduce the attack surface Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning Content awareness, determine different file types and whether or not those can be malicious Next-Generation IPS is often deployed as part of a Next- Generation Firewall

18 Cisco NGIPS Solutions Historical perspective Snort created Created by Martin Roesch in 1998 Snort is both a language and an engine Open source rapidly adopts and develops Snort Sourcefire founded Founded in 2001 by Martin Roesch Created a commercial version of Snort Sourcefire acquires Immunet cloud based anti-malware vendor Acquisition completed 2011 Cisco acquires Sourcefire Acquisition completed 2013 for $2,700,000,000

19 Cisco NGIPS Solutions Cisco FirePOWER NGIPS Cisco FirePOWER NGIPS/NGFW Next-Generation IPS, Firewall, and Anti-Malware Solution Supported on Firepower 7000 and 8000-series Appliances Supported on ASA5500-X and ASA5585-X Supported on Firepower 4100 and 9300 Supported in VMware ESX and AWS

20 Cisco NGIPS Solutions What does a Security Appliance offer

21 Cisco NGIPS Solutions ASA with FirePOWER Services Base Hardware and Software 5585-X Bundle SKUs with FirePOWER Services Module 5585-X Enhanced Performance Models 5500-X SKUs running FirePOWER Services Software New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control Hardware includes Application Visibility and Control (AVC) Security Subscription Services FirePOWER Services Licenses separate from ASA license IPS, URL, Advanced Malware Protection (AMP) Subscription Services One, Three, and Five Year Term Options Available via ELA Management FireSIGHT Management Centre (HW Appliance or Virtual) Cisco Security Manager (CSM) or ASDM to Manage ASA Features ASDM manages both ASA and FirePOWER Services on new ASA low/mid models

22 Cisco NGIPS Solutions ASA with FirePOWER Services Architecture ASA processes all ingress/egress packets No packets are directly process by FirePOWER except for management ) Traffic is forwarded to the FirePOWER module using a policy-map FirePOWER provides Next Generation Firewall Services ASA 5585-X with FirePOWER Services SFR Module Crypto or Regex Engine ASA Module Crypto Engine CPU Complex CPU Complex 10GE NICs 10GE NICs PORTS Fabric Switch Backplane Fabric Switch PORTS ASA Ingress FirePOWER Ingress Egress after FirePOWER Processing

23 Cisco NGIPS Solutions FirePOWER Appliances Base Hardware and Software Single-pass Architecture 8000 Series with Modular Interface Options (Netmods), including 10 and 40 Gbps Clustering support for HA Stacking Capable for increased throughput up to 60 Gbps 71x5 Series with 8 Fail-Closed SFP ports 7000 Series with build-in 1 Gbps Copper interfaces Virtual FirePOWER NGIPSv for VMware ESX(I) Security Subscription Services IPS, URL, Advanced Malware Protection (AMP) Subscription Services One- and Three- and Five-Year Term Options Available via ELA Management FireSIGHT Management Centre (HW Appliance or Virtual)

24 Cisco NGIPS Solutions FirePOWER Appliances Architecture FirePOWER Applications (NGIPS, AppID, AMP) Application/Control Plane Processing CPU L2-L7 Classification Stateful Flow Processing PKI and Bulk Cryptography Flow-based Load Balancing L2 switching / L3 Routing / NAPT L2-L4 Packet Classification Packet-based load balancing NFE NMSB Physical Interfaces Integrated Bypass Relays NetMods

25 Cisco NGIPS Solutions Comparing ASA with FirePOWER Services with FirePOWER Appliances Solution ASA with FirePOWER Services FirePOWER Appliances Form Factor Performance Deployment Use Case Packet Flow Management ASA 5500-X, 5585-X Up to 10Gbps NGIPS on a single 5585-X SSP60 Physical ASA Inline Deployment, HA, Clustering Inline and Promiscuous NGIPS and NGFW From ASA to FirePOWER Module CSM/ASDM for ASA, FMC/ASDM* for FirePOWER Services 8000, 7000 Physical and Virtual Appliances Up to 60Gbps on 8390 Physical or SPAN Deployment, HA Inline and Promiscuous NGIPS and NGFW Directly through FirePOWER Appliance Firesight Management Centre

26 Cisco NGIPS Solutions Comparing ASA with FirePOWER Services with FirePOWER Appliances Solution ASA with FirePOWER Services FirePOWER Appliances Features Multi-Context SSL Decryption VPN HA Routing Identity Bypass All ASA + Most FirePOWER features Ability to apply FirePOWER policy per context and generate reports on a per-context basis Integrated as well as external appliance Multiple remote-access and site-to-site options (IPSec, SSL) Active/Standby, Active/Active, Clustering Static, EIGRP, OSPF, BGP, RIP, Multicast SFUA AD Agent, CDA And TrustSec on ASA Module Fail-Open FirePOWER features Ability to define Security Zones and apply policy and generate reports per zone Integrated as well as external appliance Limited site-to-site IPSec support Active/Standby (Clustering) Static, OSPF, RIP SFUA, AD Agent, Passive Discovery Automatic Application Bypass, HW Bypass

27 NGIPS Solutions Pop Quiz! Q. Which devices have hardware bypass? A. FirePOWER appliances

28 Deploying Cisco NGIPS

29 IPS Deployment Cycle The Main Steps Network Security Policy Use Cases Location Connectivity Performance Availability and Scaling Management.

30 Policy Network Security Policy Outlines rules for computer network access Determines how policies are enforced Basic Architecture of the network security environment Keep malicious users, applications and traffic out Keep internal data in Attack Mitigation and Incident Response Align to business needs

31 Use Case What problem are we solving? Traditional FW 5-tuple Access Control Stateful Protocol Inspection NAT Routing VPN Remote Access Site-to-Site NAT, Routing, NGFW Application Visibility and Control User-Based Controls Filtering Web Access Encrypted Traffic Malware Trojan Horses, Rootkits,.. Scope spreading 0-days NGIPS Intrusion Detection Intrusion Prevention Encrypted Traffic Compliance Network Forensics

32 Use Case Intrusion Prevention Identify, log and/or prevent intrusion attempts All of what matters for IDS also applies to IDS The right tuning is even more important because False Positives may drop good traffic Inline deployment may have an impact on performance Often IPS is deployed as IDS, then tuned before inline deployment Contextual Visibility is key!

33 Location What Network Segment do we want to protect? Internet Edge Data Centre Branch Core Extranets Critical Network Segments

34 Location Internet Edge Enterprise s GW to Cyberspace Serves diverse building blocks Allow outbound employee traffic and inbound traffic to servers Filter outbound employee traffic Need for diversified policy protecting both DMZ and users Expected threats include (D)DoS), Intrusion attempts, application-layer attacks URL and Application filtering, IPS/IDS, SSL Decryption, Anti-malware

35 Connectivity What Interfaces are needed How Many Interfaces? Fiber or Copper? Bypass or non-bypass Interface Speed? Need for bundling Interfaces? Need for Wireless?

36 Connectivity Interface Options on ASA with FirePOWER Services H 5506-W 5508/ / /45/55 Fixed 1GE Interfaces Modular Interfaces NO NO NO NO 6 GE Copper or SFP 6 GE Copper or SFP Integrated Wireless AP NO NO YES NO NO NO Hardware Fast Path NO NO NO NO NO NO Monitor-Only Mode YES YES YES YES YES YES

37 Connectivity Interface Options on ASA with FirePOWER Services 5585 SSP10F SSP20F SSP10F SSP20F SSP40F SSP60F60 Fixed 1GE Interfaces SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE) Hardware Fast Path NO NO NO Monitor-Only Mode YES YES YES

38 Connectivity Interface Options on FirePOWER Appliances NGIPSv /8300 Modular Interfaces N.A NO 8 GE Copper or SFP * Up to 3 modules (1,10 GE) Up to 7 modules (1,10,40 GE) Monitoring Interfaces (Max) N.A Hardware Bypass NO YES YES YES YES Hardware Fast Path NO NO NO YES YES * 7115, 7125, and 7150 models only

39 Connectivity Network Modules for FirePOWER 8000 Series Integrated Bypass NetMods 1-Gbps 4-port copper 1-Gbps 4-port fiber 10-Gbps 2-port fiber SR (short-reach) 10-Gbps 2-port fiber LR (long-reach) Non-Bypass Netmods 1-Gbps 4-port copper 1-Gbps 4-port fiber 10-Gbps 4-port fiber SR (short-reach) 10-Gbps 4-port fiber (long-reach) 40-Gbps 2-port fiber SR (8200/8300 only)

40 Connectivity Pop Quiz! Q. How many monitoring interfaces does a 3D7000 have? A. 8

41 Performance How to measure and why it matters? Sizing: Which device do I need to buy? Upgrade of existing or new device? Features: What features am I going to need or want to run? Firewall, IPS, Application Control, URL, Malware? Location: Where is the device in the network? In front of a DNS only data centre with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages? Data centre looking at only internal traffic or Internet Edge looking at the wild Internet? As with all performance discussions, YOUR MILEAGE MAY VARY!!

42 Performance Determining your IPS Performance needs How does your traffic mix look like? What is your peak throughput? What Features will you need? What is your peak conn/s and max conn? How much latency is acceptable? Can we exclude traffic from inspection? Use Netflow, NBAR, AVC, ASA Stats Plan for the future!

43 Performance Throughput testing methodology Datasheets generally have some indication of performance. In most cases this includes the infamous throughput measurement. Different product spaces have different typical throughput tests. The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common. The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.

44 Performance Pop Quiz! Q. What metric does the IPS industry use to measure throughput? A. 440 Byte packet size

45 Availability and Scaling What should happen if the IPS fails Network Availability Security Availability ASA with FirePOWER Services ASA w/ Firepower Fail- Open FirePOWER Appliance - Promiscuous N.A. ASA A/S Failover FirePOWER Clustering Passive Redundancy FirePOWER Appliance Inline Automatic Application Bypass Hardware Bypass Alternate Path FirePOWER Clustering Inline FirePOWER Clustering - Switched FirePOWER Clustering - Routed

46 Availability and Scaling How to scale beyond what 1 Appliance can do? Scaling ASA with FirePOWER Services FirePOWER Appliance - Passive FirePOWER Appliance Inline N.A. Stacking Stacking Scaling + Availability ASA Clustering * Passive Clustered Stack FirePOWER Passive Appliances with Etherchannel RSPAN * Clustered Stack ASA with FirePOWER Appliances * * Can be deployed in asymmetric traffic environments

47 Scaling Stacking for FirePOWER 8000 Series 4x Stacking supported 8300, x Stacking on 8100 Series Gbps 30 Gbps 45 Gbps 60 Gbps

48 Availability and Scaling Availability and Scaling Options on FirePOWER Appliances NGIPSv /8300 FirePOWER Stacking NO NO NO YES (2) YES (4) FirePOWER Clustering NO YES YES YES YES Clustered Stacks NO NO NO YES YES Automatic Application Bypass YES YES YES YES YES Hardware Bypass NO YES YES YES YES * 7115, 7125, and 7150 models only

49 Scaling + Availability Clustering for ASA5500-X Scaling and Availability for FirePOWER Services Can be deployed in an asymmetric environment Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services Stateless load balancing by external switch Support for VPC and LACP Cluster Control Protocol/Link State-sharing between Firewalls for concerted operation and high availability Every session has a primary and secondary owner ASA ASA provides traffic symmetry to FirePOWER modules vpc ASA Cluster vpc

50 Availability and Scaling Availability and Scaling Options on ASA with FirePOWER Services H 5506-W 5508/ / /45/ X Multi-Context NO NO NO YES YES YES YES High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A A/S, A/A Clustering NO NO NO NO YES (2) YES (2) YES (16) Module Fail-Open YES YES YES YES YES YES YES Automatic Application Bypass NO NO NO NO NO NO NO

51 Scaling Quiz! Q. How many 8300 appliances are in an 8390 stack? A. 4

52 Management FireSIGHT Management Center Management Platforms: FireSIGHT Management Center, ASDM * FireSIGHT Management Center can be an appliance or a VM FireSIGHT Manager Appliances can be deployed in HA Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities * ASDM currently only manages FirePOWER Services on 5506/8/16 Model FMC Server, webbased UI ASDM On-box Form Factor VM or Appliance Runs on ASA # devices Up to Cost $ No Charge Manages Contextual Awareness and Visibility FirePOWER, FirePOWER services Detailed Event Collection Extensive Basic Reporting Extensive Basic Health Monitoring Basic: CPU, Memory ASA, FirePOWER services on select platforms Basic, no IoC or Impact Assessment Extensive

53 Management FireSIGHT Management Center Appliances * Virtual Maximum devices managed* Virtual FireSIGHT Management Center Up to 25 managed devices Event storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB ASA or FirePOWER appliances Maximum network map (hosts/users) per second (EPS) 2000/ ,000/ 50, ,000/ 150, ,000/ 300, ,000/ 600, ,000 10,000 20,000 Virtual FireSIGHT Management for 2 or 10 ASA devices only! Not upgradeable FS-VMW-2-SW-K9 FS-VMW-10-SW-K9 Max number of devices is dependent upon sensor type and event rate

54 Operationalise Cisco NGIPS

55 Operationalise NGIPS 1. Detection Capabilities 2. Implementation 3. Policies Discovery 6. Incident Handling 7. Evaluation

56 Detection Capabilities Talos Collective Security Intelligence Security Intelligence IP Reputation, URL Category Updates Malware Cloud Lookups (AMP), Sandbox, Trajectories L2/L3 Files Connection Logs, Flows File Types, File Transfers Application Definitions, App Detectors AppID Server, Client and Web Apps Vulnerability Updates, OS Definitions Firesight Discovery Hosts, Users, OS, Services, Vulnerabilities Snort Rule Updates Snort IDS/IPS Snort Rule IDs

57 Implementation Installation, Basic Configuration and Insertion into the network 1. Installation of Firepower Management Center 2. Installing FirePOWER appliance or FirePOWER Services for ASA 3. Adding FirePOWER appliance/module into Firepower Management Center 4. Apply Basic Configuration 5. Insertion into the network 6. Tuning 7. Optional: Move from Audit mode to inline mode 8. Operation

58 Policies System Policy: manages system-level settings such as audit logs, mail relay, etc Health Policy: a collection of health module settings to check the health of devices Network Discovery Policy: defines how the system collects data of network assets File Policy: used to perform AMP and file filtering Intrusion Policy: defines IPS rules to be enabled for inspection SSL Policy: defines what traffic to decrypt and how to decrypt it Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows Network Analysis Policy: govern many traffic preprocessing options, and are invoked by advanced settings in your access control policy

59 Network Discovery Policy Profiled networks

60 Access Control Policy

61 Intrusion Policy

62 Intrusion Policies What are the different Base IPS Policies? Connectivity over Security: ~ 800 Rules CVSS Score of 10 Age of Vulnerability: year before last and newer Balanced : ~ 6300 Rules CVSS Score of 9 or greater Age of Vulnerability: year before last and newer] Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit Security over Connectivity: ~ 9000 Rules CVSS Score of 8 or greater Age of Vulnerability: 2 years before last and newer Or: Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect

63 Intrusion Policy Audit Mode Inline deployment without actually affecting traffic Disable Drop when inline when creating IPS Policy In passive deployments, the system cannot affect traffic regardless of the drop behavior will show Would have dropped when the sensor is deployed passively or when drop when inline is disabled Audit Mode

64 Network Analysis Policy

65 Event Types Connection Source, Destination, Port, User, URL, App, Proto, User Discovery OS, Client App, Service, Server, Usernames Intrusion Snort Rule ID, Impact, Source, Destination, Packet Level File Filename, File Type, Direction, Client App, Protocol Correlation White List / Black List compliance Security Intelligence IP Reputation Malware Malware Cloud Lookups, FireAMP Endpoint events Network File Trajectories Tracking of Files as they traverse the network

66 Conceptual Packet Flow to Event Type Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

67 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

68 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

69 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

70 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

71 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

72 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

73 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

74 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies

75 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies Active Directory Client

76 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies Active Directory Client

77 Conceptual Packet Flow to Event Type Event Data Supporting Data from Cisco Cross Table data Packet Flow IPS monitoring for unidentified streams Additional Sources Security Intelligenc e Normalizatio n Pre- Processors SSL Decryption Application Detection Ap p Ctrl File Detection Vuln DB Network Detection Geo IP DB Non-Auth User ID AMP URL Rep DB URL Filtering Snort AMP for Endpoint Security Intelligence Connection Intrusion Detection File Malware User Activity Servers Application Details Applications Host Profiles Host Attributes Indications of Compromise Correlation White List from Correlation Policies Active Directory Client

78 Discovery Features for more effective operation Host, User Discovery and Application Identification Host Profiles Impact Levels FireSIGHT Recommendations Indications of Compromise

79 Network Discovery Host discovery Application identification User discovery Identifies OS, protocols and services running on each host Reports on potential vulnerabilities present on each host based on the information it s gathered FireSIGHT can identify over 1900 unique applications using OpenAppID Includes applications that run over web services such as Facebook or LinkedIn Applications can be used as criteria for access control Monitors for user IDs transmitted as services are used Integrates with MS AD servers and ISE to authoritatively ID users Authoritative users can be used as access control criteria

80 Host Profile What have we learned? All information we know about each host we monitor Current and historic users Indications of Compromise OS, Servers, Applications Indications of Compromise Malware Detections Vulnerabilities

81 Network Discovery How is the Information used? FireSIGHT Recommendations Users information we learned about each host Automatically selection of rules that apply to your environment Impact Assessment Correlation of IPS with Impact on the Target host Indications of Compromise Tags that indicate a likely host infection has occurred FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active.

82 FireSIGHT Recommendations Automatic tuning based on your environment IPS Rule Recommendations based on what is learned from Network Discovery Associates the OS, server, applications detected with rules specific to those assets Identifies the current state of rules in your base policy and recommends and/or sets rule state changes Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets. Recommendations

83 Context comes from knowing the hosts on your network

84 Understanding Impact Flags Intrusion Source / Destination IP Host Profile [Outside Profile Range] [Host not yet profiled] Impact Flag 0 Action General info Event outside profiled networks Why Event occurred outside profiled networks Protocol (TCP/UDP) Source / Destination Port IP Address User IDs Protocols Server Side Ports 4 3 Good information host is currently not known Good information event may not have connected Previously unseen host within monitored network Relevant port not open or protocol not in use Service Snort ID IOC: Predefined Impact Client Side Ports Services Client / Server Apps Operating System Potential Vulnerabilities CVE 2 1 Worth investigation. Host exposed. Act immediately. Host vulnerable or compromised. Relevant port or protocol in use but no vuln mapped Host vulnerable to attack or showing an IOC. If you have a fully profiled network this may be a critical event!

85 Correlating Weak Signals Into Indicators Of Compromise Correlate Weak Signals into Indicators of Compromise Malware Propagation detected by NGIPS Malware Persistence actions detected by AMP for Endpoints DNS to malware site detected by NGIPS Intelligence Your Network Malware File Download detected by AMP for Content CNC Traffic detected by NGIPS

86 Order of Investigation Goal: Getting to Remediation A D B Remediation Incident Response Data Collection You ve been owned. Under Attack Research & Tuning Critical Assets Not Blocked Internal Source External Source Indication of Compromise Correlation Rules Impact 0 Impact 1 Impact 2-3 Impact 4 Dropped may vary based on corporate priority

87 Stages of Incident Handling SANS Institute Preparation Identification Containment Eradication Recovery Lessons Learned Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate Automate as many decisions or actions as possible.

88 Identify Where to Start If this is all there was then the Order of Investigation is easy. From the FMC Dashboard

89 Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer

90 What too many networks look like Some ways to choose Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) From the FMC Context Explorer Let s see what these 63 events are all about.

91 Drill into Workflow Busy event. Looks like we re getting more.

92 Investigate Host Seems active across 6 hosts. Let s drill into one.

93 Looks like Kim Ralls has a lot going on her Windows host. from multiple sources: IPS Engine File Protection AMP for Networks

94 More Information.147 Tried to send the file 5 times.107 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more?

95 Did you forget about these? Let s see if that file moved around without the IPS seeing it.

96 Yep. That file is malware We see it in the malware summary, too.

97 A lot more than the 6 file transfers and hosts the IPS engine stopped. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind.

98 Evaluation Is the IPS Deployment Effective? Initially: (Fine)tuning Continuously: Signature Updates FireSIGHT Recommendations Periodically: Vulnerability scan Penetration testing

99 Final thoughts (these are mine) Know your environment, don t look at alerts in isolation Be suspicious Think Next Generation security, not silver bullets Don t be complacent, keep challenging your environment

100 Q & A

101 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

102 Thank you

103

Deploying Intrusion Prevention Systems

Deploying Intrusion Prevention Systems Deploying Intrusion Prevention Systems Mike Mercier Consulting Systems Engineer BRKSEC-2030 Agenda Introduction to IPS Cisco NGIPS Solutions Deploying Cisco NGIPS Migrating to Firepower NGIPS Conclusion

More information

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with

More information

Design and Deployment of SourceFire NGIPS and NGFWL

Design and Deployment of SourceFire NGIPS and NGFWL Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the

More information

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability

More information

Cisco ASA with FirePOWER Services

Cisco ASA with FirePOWER Services Cisco ASA with FirePOWER Services TDM Thomas Jankowsky Consulting Systems Engineer May 2015 Introduction Industry s First Threat-Focused Next-Generation Firewall (NGFW) Proven Cisco ASA firewalling Industry-leading

More information

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Firepower NGFW. Anticipate, block, and respond to threats Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid

More information

Deploying Intrusion Prevention Systems

Deploying Intrusion Prevention Systems Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS

More information

The Internet of Everything is changing Everything

The Internet of Everything is changing Everything The Internet of Everything is changing Everything Next Generation Security John Tzortzakakis Security Solutions Architect, Security Business Group November 2014 Threat Landscape evolution 60% of data is

More information

Agile Security Solutions

Agile Security Solutions Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization

More information

A Deep Dive into the Firepower Manager

A Deep Dive into the Firepower Manager A Deep Dive into the Firepower Manager William Young, Security Solutions Architect willyou@cisco.com @WilliamDYoung BRKSEC-2058 Just some Security Guy William Young Security Solutions Architect, Cisco

More information

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Sourcefire Network Security Analytics: Finding the Needle in the Haystack Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics

More information

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Firepower NGFW. Anticipate, block, and respond to threats Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years

More information

Snort: The World s Most Widely Deployed IPS Technology

Snort: The World s Most Widely Deployed IPS Technology Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,

More information

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015 Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015 1 Agenda Frontal Communication: Who we are? - Key points - Competencies Areas

More information

Introduction to the Cisco Sourcefire NGIPS

Introduction to the Cisco Sourcefire NGIPS Introduction to the Cisco Sourcefire NGIPS Gary Spiteri Consulting Security Engineer #clmel Are you a laugher or a liar? Problems with Traditional IPS Technology Overwhelms you with irrelevant events Doesn

More information

Cisco ASA 5500-X NGFW

Cisco ASA 5500-X NGFW Cisco ASA 5500-X NGFW Sieťová ochrana pre malé a stredné podniky pred modernými hrozbami Peter Mesjar CCIE 17428, Systémový Inžinier, Cisco What are we going to talk about Problem is THREATS How today

More information

Sourcefire and ThreatGrid. A new perspective on network security

Sourcefire and ThreatGrid. A new perspective on network security Sourcefire and ThreatGrid A new perspective on network security Agenda An overview of traditional IPS solutions Next-Generation IPS Requirements Sourcefire Next-Generation IPS Advanced Malware Protection

More information

Protection - Before, During And After Attack

Protection - Before, During And After Attack Advanced Malware Protection for FirePOWER TM BENEFITS Continuous detection of malware - immediately and retrospectively Inline detection of sophisticated malware that evades traditional network protections

More information

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017 Cisco Security Advanced Malware Protection Guillermo González Security Systems Engineer Octubre 2017 The New Security Model Attack Continuum Before During After Before Discover During Detect After Scope

More information

Cisco Next Generation Firewall Services

Cisco Next Generation Firewall Services Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the

More information

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security Next Generation IPS and Advance Malware Protection Mahmoud Rabi Consulting Systems Engineer - Security Threat Landscape and Attack Continuum Today s Real World: Threats are evolving and evading traditional

More information

Cisco ASA Next-Generation Firewall Services

Cisco ASA Next-Generation Firewall Services Q&A Cisco ASA Next-Generation Firewall Services Q. What are Cisco ASA Next-Generation Firewall Services? A. Cisco ASA Next-Generation Firewall Services are a modular security service that extends the Cisco

More information

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Jiří Tesař, CSE Security, jitesar@cisco.com CCIE #14558, SFCE #124266 Mapping Technologies to the

More information

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data SEE everything in your environment LEARN by applying security intelligence to data ADAPT defenses automatically ACT in real-time Sourcefire Solutions Overview Security for the Real World Change is constant.

More information

Cisco Advanced Malware Protection for Networks

Cisco Advanced Malware Protection for Networks Data Sheet Cisco Advanced Malware Protection for Networks Product Overview Fighting malware effectively today requires new approaches, strategies, and technologies. Cisco Advanced Malware Protection (AMP)

More information

Cisco Security Exposed Through the Cyber Kill Chain

Cisco Security Exposed Through the Cyber Kill Chain Cisco Forschung & Lehre Forum für Mecklenburg Vorpommern Cisco Security Exposed Through the Cyber Kill Chain Rene Straube CSE, Cisco Advanced Threat Solutions January, 2017 The Cisco Security Model BEFORE

More information

Cisco Firepower NGIPS Tuning and Best Practices

Cisco Firepower NGIPS Tuning and Best Practices Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the

More information

Cisco Advanced Malware Protection for Networks

Cisco Advanced Malware Protection for Networks Data Sheet Cisco Advanced Malware Protection for Networks Product Overview Fighting malware effectively today requires new approaches, strategies, and technologies. Cisco Advanced Malware Protection (AMP)

More information

Cisco ASA with FirePOWER Services

Cisco ASA with FirePOWER Services Data Sheet Cisco ASA with FirePOWER Meet the industry s first adaptive, threat-focused next-generation firewall (NGFW) designed for a new era of threat and advanced malware protection. Cisco ASA with FirePOWER

More information

Data Center Security. Fuat KILIÇ Consulting Systems

Data Center Security. Fuat KILIÇ Consulting Systems Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized

More information

Cisco Firepower Thread Defence. Claudiu Boar

Cisco Firepower Thread Defence. Claudiu Boar Cisco Firepower Thread Defence Claudiu Boar Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network

More information

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis

More information

Threat Centric Network Security

Threat Centric Network Security BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this

More information

Cisco - ASA Lab Camp v9.0

Cisco - ASA Lab Camp v9.0 Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment

More information

Connection Logging. About Connection Logging

Connection Logging. About Connection Logging The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL

More information

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Cisco Cyber Range. Paul Qiu Senior Solutions Architect Cisco Cyber Range Paul Qiu Senior Solutions Architect Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I

More information

Connection Logging. Introduction to Connection Logging

Connection Logging. Introduction to Connection Logging The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections

More information

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year Firepower Next Generation Firewall Subtitle goes here William Young Security Solutions Architect, Global Security Architecture Team

More information

Stop Threats Before They Stop You

Stop Threats Before They Stop You Stop Threats Before They Stop You Gain visibility and control as you speed time to containment of infected endpoints Andrew Peters, Sr. Manager, Security Technology Group Agenda Situation System Parts

More information

The Internet of Everything is changing Everything

The Internet of Everything is changing Everything The Internet of Everything is changing Everything Intelligent Threat Defense for the Enterprise Mobility Nikos Mourtzinos, CCIE #9763 Global Security Sales Organization Changing Business Models Any Device

More information

Advanced IPS Deployment

Advanced IPS Deployment Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 About your Speaker Gary Halleen gary@cisco.com Technical Solutions Architect Cisco Global Security Sales Organization Oregon

More information

Implementing Cisco Network Security (IINS) 3.0

Implementing Cisco Network Security (IINS) 3.0 Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using

More information

Cisco FirePOWER 8000 Series Appliances

Cisco FirePOWER 8000 Series Appliances Data Sheet Cisco FirePOWER 8000 Series Appliances Product Overview Finding a network security appliance with exactly the right throughput, interface options, and threat protection for all the different

More information

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285

More information

Chapter 1: Content Security

Chapter 1: Content Security Chapter 1: Content Security Cisco Cloud Web Security (CWS) Cisco offers Cisco Cloud Web Security (CWS) to protect End Stations and Users devices from infection. Cisco Cloud Web Security (CWS) depends upon

More information

FirePOWER: Advanced Configuration and Tuning

FirePOWER: Advanced Configuration and Tuning FirePOWER: Advanced Configuration and Tuning Charlie Stokes Security Technical Marketing Engineer Agenda Introduction FirePOWER Appliances and Modules Before: Changes to Policy During: Changing how the

More information

CISCO EXAM QUESTIONS & ANSWERS

CISCO EXAM QUESTIONS & ANSWERS CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco

More information

Compare Security Analytics Solutions

Compare Security Analytics Solutions Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch

More information

The following topics describe how to manage various policies on the Firepower Management Center:

The following topics describe how to manage various policies on the Firepower Management Center: The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page

More information

Cisco ASA with FirePOWER Services

Cisco ASA with FirePOWER Services Data Sheet with FirePOWER Meet the industry s first adaptive, threat-focused next-generation firewall (NGFW) designed for a new era of threat and advanced malware protection. Cisco ASA with FirePOWER delivers

More information

Fully Integrated, Threat-Focused Next-Generation Firewall

Fully Integrated, Threat-Focused Next-Generation Firewall Cisco Firepower NGFW Fully Integrated, Threat-Focused Next-Generation Firewall Fuat KILIÇ, fkilic@cisco.com, +905339284608 Security Consulting Systems Engineer, CCIE #21150 September 2016 Get ahead of

More information

Corrigendum 3. Tender Number: 10/ dated

Corrigendum 3. Tender Number: 10/ dated (A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial

More information

FireSIGHT Virtual Installation Guide

FireSIGHT Virtual Installation Guide Version 5.3.1 July 17, 2014 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL

More information

Monitoring the Device

Monitoring the Device The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring

More information

Access Control Using Intrusion and File Policies

Access Control Using Intrusion and File Policies The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File

More information

Chapter 6: IPS. CCNA Security Workbook

Chapter 6: IPS. CCNA Security Workbook Chapter 6: IPS Technology Brief As the awareness of cyber and network security is increasing day by day, it is very important to understand the core concepts of Intrusion Detection/Defense System (IDS)

More information

Cisco Advanced Malware Protection against WannaCry

Cisco Advanced Malware Protection against WannaCry Cisco Advanced Malware Protection against WannaCry "A false sense of security is worse than a true sense of insecurity" Senad Aruc Consulting Systems Engineer Advanced Threats Group Nils Roald Advanced

More information

Introduction to Network Discovery and Identity

Introduction to Network Discovery and Identity The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity

More information

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Joe Aronow, Product Architect Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this

More information

CIH

CIH mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

Advanced Malware Protection: A Buyer s Guide

Advanced Malware Protection: A Buyer s Guide Advanced Malware Protection: A Buyer s Guide What You Will Learn This document will identify the essential capabilities you need in an advanced malware protection solution, the key questions you should

More information

Introduction to Network Discovery and Identity

Introduction to Network Discovery and Identity The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, on page 1 Uses for Host, Application, and User Discovery and Identity

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The

More information

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title. I n t r o d u c t i o n The CCNA Security IINS exam topics have been refreshed from version 2.0 to version 3.0. This document will highlight exam topic changes between the current 640-554 IINS exam and

More information

Seceon s Open Threat Management software

Seceon s Open Threat Management software Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real

More information

Cisco Cyber Threat Defense Solution 1.0

Cisco Cyber Threat Defense Solution 1.0 Cisco Cyber Threat Defense Solution 1.0 Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber

More information

The following topics describe how to configure correlation policies and rules.

The following topics describe how to configure correlation policies and rules. The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3 of the Sourcefire 3D System. Even if you are familiar with the update process,

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even

More information

Cisco ASA 5500 Series IPS Solution

Cisco ASA 5500 Series IPS Solution Cisco ASA 5500 Series IPS Product Overview As mobile devices and Web 2.0 applications proliferate, it becomes harder to secure corporate perimeters. Traditional firewall and intrusion prevention system

More information

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com Endpoint Footprint Problem: TOO MANY AGENTS! Anti-Virus/Anti-Spyware agent IPSec/SSLVPN agent Host IPS/FW

More information

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1 Agenda Frontal Communication: Who

More information

Implementing Cisco Edge Network Security Solutions ( )

Implementing Cisco Edge Network Security Solutions ( ) Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,

More information

Paloalto Networks PCNSA EXAM

Paloalto Networks PCNSA EXAM Page No 1 m/ Paloalto Networks PCNSA EXAM Palo Alto Networks Certified Network Security Administrator Product: Full File For More Information: /PCNSA-dumps 2 Product Questions: 50 Version: 8.0 Question:

More information

Before You Update: Important Notes

Before You Update: Important Notes Before you update, familiarize yourself with the update process, the system's behavior during the update, compatibility issues, and required pre or post-update configuration changes. Caution Note Do not

More information

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9. Aby se z toho bezpečnostní správci nezbláznili aneb Cisco security integrace Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace Milan Habrcetl Cisco CyberSecurity Specialist Mikulov,

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,

More information

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW: SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,

More information

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any

More information

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER Bret Hartman Cisco / Security & Government Group Session ID: SPO1-W25 Session Classification: General Interest 1 Mobility Cloud Threat Customer centric

More information

Key Security Measures to Enable Next-Generation Data Center Transformation

Key Security Measures to Enable Next-Generation Data Center Transformation Key Security Measures to Enable Next-Generation Data Center Transformation Bill McGee Senior Manager, Security Solutions Cisco Systems, Inc. Agenda Data Center Security Challenges Secure DC Strategies

More information

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN) Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN) JP Vasseur, PhD - Cisco Fellow jpv@cisco.com Maik G. Seewald, CISSP Sr. Technical Lead maseewal@cisco.com June 2016 Cyber

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on

More information

Business Resiliency Through Superior Threat Defense

Business Resiliency Through Superior Threat Defense Business Resiliency Through Superior Threat Defense Firepower 2100 Series/ Cisco Identity Services Engine Andre Lambertsen, Consulting Systems Engineer ala@cisco.com Cisco Firepower NGFW Fully Integrated

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: About Security, Internet Access, and Communication

More information

NGFW Requirements for SMBs and Distributed Enterprises

NGFW Requirements for SMBs and Distributed Enterprises White Paper NGFW Requirements for SMBs and Distributed Enterprises The Case for NGFWs for SMBs The need for threat-focused next-generation firewalls (NGFWs) that can effectively mitigate risks that traditional

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,

More information

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Cisco Cloud Security. How to Protect Business to Support Digital Transformation Cisco Cloud Security How to Protect Business to Support Digital Transformation Dragan Novakovic Cybersecurity Consulting Systems Engineer January 2018. Security Enables Digitization Digital Disruption,

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Overview: Security, Internet Access, and Communication

More information

Cisco Ransomware Defense The Ransomware Threat Is Real

Cisco Ransomware Defense The Ransomware Threat Is Real Cisco Ransomware Defense The Ransomware Threat Is Real Seguridad Integrada Abril 2018 Ransomware B Malicious Software Encrypts Critical Data Demands Payment Permanent Data Loss Business Impacts Ramifications

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,

More information

Optimizing Security for Situational Awareness

Optimizing Security for Situational Awareness Optimizing Security for Situational Awareness BRIAN KENYON McAfee Session ID: SPO1-106 Session Classification: Intermediate p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-

More information

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC

More information

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,

More information

SONICWALL SECURITY HEALTH CHECK PSO 2017

SONICWALL SECURITY HEALTH CHECK PSO 2017 SONICWALL SECURITY HEALTH CHECK PSO 2017 Get help in fully utilizing your investment to protect your network Overview SonicWALL Security Health Check provides a customer with a comprehensive review of

More information

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Automated Response in Cyber Security SOC with Actionable Threat Intelligence Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User

More information