Security for the real World NG IPS Jean-Paul Kerouanton Sourcefire, Inc.

Transcription

1 Security for the real World NG IPS Jean-Paul Kerouanton Sourcefire, Inc. Prepared for:

2 Agenda Your Security Challenges About Sourcefire A New Approach How It Works Products & Services Questions & Next Steps 2

3 Let s Solve Problems What are your challenges? How are they being addressed today? What s your ideal solution? How are you organized? What is your timeframe for this project? 3

4 Why an IPS? (1) Vulnerability exposure just happen as you use software (+5 CVE / day in 2010) Average time for patching counts in months Personal usage of the internet by employees increase exposure Malware Targeted fishing SSL (gmail ) Social networks Smartphones 4

5 Why an IPS (2) 100% of modern attacks use authorised traffic, accounts and privileges on your network Most of modern attacks are designed not to destroy but to ex-filter information without being detected Stuxnet (SCADA) Aurora (IE Vuln) Destroyer worms and BotNets are still real and active 5

6 NGIPS : Definition

7 Today s Reality Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure. Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., The Future of Information Security is Context Aware and Adaptive, May 14, 2010 Dynamic Threats Organized attackers Sophisticated threats Multiple attack vectors Static Defenses Ineffective defenses Black box limits flexibility Set-and-forget doesn t work 7

8 About Sourcefire

9 About Sourcefire Mission: To be the leading provider of intelligent cybersecurity solutions for the enterprise. Founded in 2001 by Snort Creator, Martin Roesch, CTO Headquarters: Columbia, MD Focus on enterprise and government customers Global Security Alliance ecosystem NASDAQ: FIRE 9

10 Powered by Snort Global standard for Intrusion Detection and Prevention World s largest threat response community Interoperable with other security products Owned and controlled by Sourcefire, Inc. 10

11 Backed by the VRT 150+ Private & Public Threat Feeds Snort & ClamAV Community Insight Advanced Microsoft & Industry Disclosure 20,000 Malware Samples per Day Sourcefire Vulnerability Research Team (VRT) Research & Analysis Best-in-Class Threat Protection 11

12 A New Approach

13 Traditional IPS vs. Next-Generation IPS Traditional IPS Next-Generation IPS Closed & Blind Architecture Open & Customizable None or Limited Awareness Visibility & Intelligence 13 Human Intensive Automation Self Tuning & Precision

14 14 Traditional IPS vs. Next-Generation IPS

15 14 Traditional IPS vs. Next-Generation IPS

16 Traditional IPS vs. Next-Generation IPS Traditionnal IPS

17 Traditional IPS vs. Next-Generation IPS Traditionnal IPS

18 Traditional IPS vs. Next-Generation IPS Traditionnal IPS

19 Traditional IPS vs. Next-Generation IPS Traditionnal IPS

20 Traditional IPS vs. Next-Generation IPS Traditionnal IPS

21 Traditional IPS vs. Next-Generation IPS Traditionnal IPS

22 15 Traditional IPS vs. Next-Generation IPS

23 15 Traditional IPS vs. Next-Generation IPS

24 15 Traditional IPS vs. Next-Generation IPS

25 15 Traditional IPS vs. Next-Generation IPS

26 15 Traditional IPS vs. Next-Generation IPS

27 15 Traditional IPS vs. Next-Generation IPS

28 15 Traditional IPS vs. Next-Generation IPS

29 Next-Gen IPS The Power of Awareness Network Know what s there, what s vulnerable, and what s under attack Application Identify change and enforce policy on hundreds of applications Behavior Detect anomalies in configuration, connections and data flow Identity Know who is doing what, with what, and where 16

30 Next-Gen IPS Highly Automated Operation Real Time, All the Time! 17

31 How It Works

32 19 Context is everything

33 Context is everything How much security context would you like? 19

34 Context is everything Event:!! Attempted Privilege Gain Target:!!

35 Context is everything Event:!! Target:!! Host OS:! Applications:! Location:! Attempted Privilege Gain (vulnerable) Blackberry Mail, Browser, Twitter Whitehouse, US Event:!! Attempted Privilege Gain Target:!!

36 Context is everything Event:!! Attempted Privilege Gain Target:!! (vulnerable) Host OS:! Blackberry Applications:! Mail, Browswer, Twitter Location:! Whitehouse, US User ID:!! bobama Full Name:! Barack Obama Department:! Executive Branch Event:!! Target:!! Host OS:! Applications:! Location:! Attempted Privilege Gain (vulnerable) Blackberry Mail, Browser, Twitter Whitehouse, US Event:!! Attempted Privilege Gain Target:!!

37 20 Monitor equipment configurations

38 Monitor equipment configurations Sample real-time Network map Create Baseline Compliance Map Compare for differences 20

39 Monitor equipment configurations Sample real-time Network map Create Baseline Compliance Map Compare for differences Actionable Event 20

40 Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Rule Mix PCN PCN IPS Asset Discovery Defense Center 21

41 Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Network attacks Rule Mix IPS PCN PCN Detected Incidents Asset Discovery Defense Center 21

42 Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Network attacks Rule Mix IPS PCN PCN Detected Incidents 1 Impact Correlation Asset Discovery Defense Center 21

43 Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Rule Mix Network attacks IPS False negatives PCN PCN Detected Incidents 1 Asset Discovery Defense Center 21

44 Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Rule Mix Network attacks IPS False negatives PCN PCN Updated Preprocessor configuration Detected Incidents Updated Rule Mix 1 Asset Discovery Automatic Rules Tuning Defense Center 21

45 Putting it all together Increasing accuracy in dynamic networks Updated Preprocessor Pre-processor configuration configuration Network attacks Updated Rule Rule Mix Mix IPS PCN PCN Detected Incidents 1 Asset Discovery Defense Center 21

46 Sourcefire Products

47 Mgmt Next-Generation IPS Products Defense Center Management Console Technologies Nextgeneration IPS Awareness 23 SSL Inspection Virtual Products

48 24 Sourcefire 3D system components

49 Sourcefire 3D system components Discover In-line IPS Sensing Network Passive In-line RNA Passive In-line RUA Passive 24 G/bit copper or fiber

50 Sourcefire 3D system components Discover Determine Sensing Network In-line IPS Passive Typically, 1Kb / event In-line RNA Typically. 100 bytes / event DC Passive In-line RUA Management Network Passive G/bit copper 24 G/bit copper or fiber

51 Sourcefire 3D system components Discover Determine Defend Sensing Network In-line IPS Passive Typically, 1Kb / event , SNMP, Syslog,SSL In-line RNA Typically. 100 bytes / event DC Firewall, IPS, Switchers, Routers Passive In-line RUA Management Network Configuration and Compliance Mgmt. Passive G/bit copper 24 G/bit copper or fiber

52 25 Sourcefire 3DSensors

53 Sourcefire 3DSensors De 5Mbps à 10Gbps Connectivité 1G Cuivre/fibre 10G LR 10G SR Cartes failopen intégrées Configuration de 4 à 12+ ports Dimensionnement: Débit #ports #instances 10/20 Gbit/s 4 Gbit/s 2 Gbit/s 1Gbit/s 500 Mbit/s 250 Mbit/s 100 Mbit/s 45 Mbit/s 5 Mbit/s 3D9900 3D6500 3D4500 3D3500 3D2500 3D2100 3D2000 3D1000 3D500 3 body plans 25

54 Why Sourcefire? Powered by Snort Driven by Awareness Best-in-Class Detection Open Architecture Highly Automated Stop Doing Things the Old Way! Try the Next Generation in Intrusion Detection & Prevention. 26

55 27 Questions & Next Steps

56 28 Demo System