Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM
Open Source SNORT 2
Consider these guys All were smart. All had security. All were seriously compromised. 3
The Industrialization of Hacking Goal: Glory, mode: Noise Goal Profit, mode: Stealth VIRUSES MACRO VIRUSES WORMS HACKERS SPYWARE / ROOTKITS APTs MALWARE 1985 1995 2000 2005 2010 Attackers and defenders drive each other to innovate resulting in distinct threat cycles Icons: attack vectors 4
So what are you trying to protect? SERVER INFRASTRUCTURE DESKTOPS USERS BYOD 5
Who are we fighting with? 6 6
Black Hole v2 7
Black Hole v2 8
Nuclear Pack 2.0 9
Note the advertising strip. 10
Agile Security process 11
Lockheed Martin s APT Kill Chain 12
One platform addresses entire attack continuum through software licenses BEFORE See it, Control it DURING Intelligent & Context Aware AFTER Retrospective Security NGFW NGIPS AMP APPLIANCES VIRTUAL 13
Sourcefire Agile Security Solutions Management Center APPLIANCES VIRTUAL NEXT- GENERATION FIREWALL NEXT- GENERATION INTRUSION PREVENTION ADVANCED MALWARE PROTECTION COLLECTIVE SECURITY INTELLIGENCE CONTEXTUAL AWARENESS HOSTS VIRTUAL MOBILE APPLIANCES VIRTUAL 14
FireSIGHT is built into all Sourcefire next-generation security solutions to provide the network intelligence and context you need to respond to changing conditions and threats. 15
FireSIGHT Saves Money and Improves Security IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% Automated Tuning Adjust IPS policies automatically based on network change User Identification Associate users with security and compliance events
FirePOWER supports a range of Sourcefire security solutions with unmatched performance, threat protection and energy efficiency. 17
FirePOWER Hardware Features LCD Display Quick and easy headless configuration Connectivity Choice Change and add connectivity inline with network requirements Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments Device Stacking Scale monitoring capacity through stacking Lights Out Management Minimal operational impact SSD Solid State Drive for increased reliability Hardware Acceleration For best in class throughput, security, Rack size/mbps, and price/mbps 18
NGIPS / App Control / NGFW / AMP Fixed Connectivity Mixed / SFP Modular Connectivity Stackable FirePOWER Appliances IPS Throughput 40 Gbps 8290 All appliances include: Integrated lights-out management Sourcefire acceleration technology LCD display 30 Gbps 20 Gbps 10 Gbps 8270 8260 8250 6 Gbps 8140 SSL8200 SSL2000 SSL1500 4 Gbps 2 Gbps 1.5 Gbps 1.25 Gbps 1 Gbps 8130 8120 7125 7120 750 Mbps 7115 500 Mbps 250 Mbps 100 Mbps 50 Mbps 7110 7030 7020 7010 19
What is a Next-Generation IPS? Gartner Definition Support bump in the wire configuration without disrupting network traffic Act as a platform for network traffic inspection and intrusion detection and enforcement Standard first generation IPS capabilities Application awareness and full-stack visibility Context awareness Content awareness Agile engine Sourcefire defining_nextgeneration_netw_218641.pdf 20
Next Generation Firewall (NGFW) with Application Control 21
Reduce Risk Through Granular Application Control Control access for applications, users and devices Employees may view Facebook, but only Marketing may post to it No one may use peer-to-peer file sharing apps Over 2300 apps, devices, and more! 22
URL Filtering and reputation Block non-business-related sites by category Based on user and user group Provide URL reputation information 23
Advanced Malware Protection (AMP) 24
FireAMP Building Blocks Visibility and Control Lightweight Connector Watches for move/copy/execute Traps fingerprint & attributes Mobile Connector Watches for apps Traps fingerprint & attributes Advanced Malware Protection Network Defense Against Malware Identifies and Blocks Malicious Files Transaction Processing Analytics Intelligence Web-based Manager 25 25
Comprehensive AMP Features Feature Benefit Network Endpoint Malware Detection and Blocking Retrospective Detection File Trajectory Stop malware before it can compromise systems At the network and endpoints Turn back the clock against malware Continuous, persistent monitoring of files for retrospective malware detection/blocking Quickly understand the scope of the malware problem Malware tracking and visualization of malware and suspicious files across the network Device Trajectory Device Flow Correlation File Analysis Outbreak Control Indications of Compromise Deep analysis of root causes Visualization of system level activities for root cause determination Stop proliferation of malware and root causes at the endpoint Block malware communication and dropper activity at the endpoint Fast and safe file forensics Full file analysis to quickly understand malware and file behavior Quickly stop malware from spreading Control a suspicious file or malware outbreak across endpoints Spotlight systems at risk of active breach Prioritized list of compromised devices with links to inspect and remediate the problem 26
Visibility & Control with FireAMP Reporting Trajectories Analysis (Sandbox) Control (Compliance) 27 27
Spotlight: Reporting Applications Introducing Malware Threats Resident on First Scan Possible APT Customize by Group Schedule or On Demand 28 28
Spotlight: File Trajectory Malware Flight Recorder shows point of entry and extent of outbreak Discover the malware gateway to reduce the risk of re-infection Identify systems that have downloaded/executed a specific malware file 29 29
Spotlight: Device Trajectory Extremely powerful malware behavioral analysis and forensics tool. Analyze operating system behavior prior, during and post infection Trace each stage of infection and communication to other internal and external hosts 30 30
FireAMP Mobile Visibility: detect & analyze Android (2.1+) threats Cloud-based, real time Control: contain & remediate Blacklists Enterprise Ready Advanced Malware Protection Using Big Data Analytics 31 31
FireAMP Virtual Leverages VMware s EPSec API to integrate with vshield Deployed as virtual appliance on each host Managed via FireAMP s cloud portal Note: Because file activity is offloaded, File Trajectory will not display parent SHA 32 32
Retrospective Alerting What systems are affected? What is the point and method of entry? Continuous analysis Never forgets Network and devices Turns back the clock against malware 33
Collective Security Intelligence 34
Collective Security Intelligence Private & Public Threat Feeds IPS Rules Malware Protection Sourcefire Vulnerability Research Team Sandboxing Machine Learning Big Data Infrastructure Reputation Feeds Vulnerability Database Updates Sourcefire AEGIS Program Sandnets File Samples (>180,000 per day) FireAMP Community Honeypots Advanced Microsoft & Industry Disclosures SPARK Program Snort & ClamAV Open Source Communities
Protecting Your Network 2 SEU/SRU, 1 VDB updates per week 98.9% Vulnerability 2 > 10 CVE s coverage per NSS Labs IPS group test covered per day 4,310 new IPS rules 100% Same-day protection for Microsoft vulnerabilities >250,000 malware submissions per day 36
STP and a Threat Centric Ecosystem 37
Thank you very much for attention! 38