Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Similar documents
Protection - Before, During And After Attack

Agile Security Solutions

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Design and Deployment of SourceFire NGIPS and NGFWL

Cisco Advanced Malware Protection for Networks

Cisco Advanced Malware Protection for Networks

Cisco ASA with FirePOWER Services

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

The Internet of Everything is changing Everything

Sourcefire and ThreatGrid. A new perspective on network security

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

The Internet of Everything is changing Everything

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

Threat Centric Network Security

Advanced Malware Protection: A Buyer s Guide

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

Cisco AMP Solution. Rene Straube CSE, Cisco Germany January 2017

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Network Visibility and Advanced Malware Protection. James Weathersby, Director Technical Marketing Gyorgy Acs, Consulting Security Engineer

Cisco Security Exposed Through the Cyber Kill Chain

Introduction to the Cisco Sourcefire NGIPS

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Deploying Intrusion Prevention Systems

Cisco Advanced Malware Protection. May 2016

Cisco ASA with FirePOWER Services

Cisco ASA 5500-X NGFW

Cisco Firepower NGFW. Anticipate, block, and respond to threats

An Investment Checklist

Cisco ASA with FirePOWER Services

Security, Internet Access, and Communication Ports

Cisco Advanced Malware Protection for Endpoints

Expert Reference Series of White Papers. Cisco Completes the Security Picture with Sourcefire

Security, Internet Access, and Communication Ports

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Cisco Advanced Malware Protection against WannaCry

NGFW Requirements for SMBs and Distributed Enterprises

Snort: The World s Most Widely Deployed IPS Technology

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

FireSIGHT Virtual Installation Guide

Security, Internet Access, and Communication Ports

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Key Security Measures to Enable Next-Generation Data Center Transformation

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

AMP for Endpoints & Threat Grid

Cisco Comstor

Security Experts Webinar

Lastline Breach Detection Platform

Easy Setup Guide. Cisco ASA with Firepower Services. You can easily set up your ASA in this step-by-step guide.

Cisco Advanced Malware Protec3on

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

Cisco s Appliance-based Content Security: IronPort and Web Security

Intelligent Cyber Security for Real World

File Policies and Advanced Malware Protection

Seceon s Open Threat Management software

Licensing the Firepower System

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

ForeScout Extended Module for Carbon Black

The Future of Threat Prevention

Fully Integrated, Threat-Focused Next-Generation Firewall

File Policies and AMP for Firepower

Monitoring the Device

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Compare Security Analytics Solutions

Access Control Using Intrusion and File Policies

We re ready. Are you?

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Licensing the Firepower System

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Access Control Using Intrusion and File Policies

Novetta Cyber Analytics

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Firepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

THE ACCENTURE CYBER DEFENSE SOLUTION


<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

File Reputation Filtering and File Analysis

Innovative Cisco Security- Lösungen für den Endpoint Das Alpha und Omega unsere Next Gen Security

Cisco Ransomware Defense The Ransomware Threat Is Real

LA RELEVANCIA DEL ANALISIS POST- BRECHA

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

McAfee Advanced Threat Defense

Automated Threat Management - in Real Time. Vectra Networks

Speed Up Incident Response with Actionable Forensic Analytics

Chapter 1: Content Security

JURUMANI MERAKI CLOUD MANAGED SECURITY & SD-WAN

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Cisco ASA with FirePOWER Services

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

RSA Security Analytics

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

Cisco Advanced Malware Protection for Endpoints. Donald J Case BizCare, Inc. Saturday, May 19, 2018

Cisco Next Generation Firewall Services

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Data Center Security. Fuat KILIÇ Consulting Systems

Transcription:

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Jiří Tesař, CSE Security, jitesar@cisco.com CCIE #14558, SFCE #124266

Mapping Technologies to the Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW/AVC UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context 4

Cisco/Sourcefire Security Solutions FireSIGHT Management Center APPLIANCES VIRTUAL NEXT- GENERATION INTRUSION PREVENTION APPLICATION CONTROL CONTEXTUAL AWARENESS ADVANCED MALWARE PROTECTION FireAMP HOSTS VIRTUAL MOBILE COLLECTIVE SECURITY INTELLIGENCE FirePOWER Appliances APPLIANCES VIRTUAL Cisco and/or its affiliates. 5 All rights reserved.

Access Policy

FW integra+on with IPS Only a license

Demo

Policy- Driven Visibility and Control Filter Access and Apply Protec+on by Applica+on, User, and Traffic Path

Application Control Example Prevent BitTorrent

Web Access Filtering URL, Category, Reputa+on

Security Intelligence Automa+cally Updated Blacklists

Geoloca+on Visibility, Reports

Geolocation Blocking in Access Rules (NGFW) Define how traffic should be handled based on source and/or destination Assign different intrusion prevention policy based on country of origin Completely block all communications to a certain country Adds country objects to the access control policy New tab in the network pane of the AC rules editor allows a selection of country objects Selecting a country in an access control rule selects all IP addresses associated with that country

Updates from Cloud (VRT) IPS SW, vulnerabili+es with planorms

Updates from Cloud (VRT) Snort Rules

Chaining FW with IPS and File Analysis

Chaining FW with IPS and File Analysis

Advanced Malware Protection

Sourcefire Advanced Malware Protection with Retrospective Security Comprehensive Network + Endpoint Continuous Analysis Integrated Response Big Data Analytics Control & Remediation Collective Security Intelligence 21

Our Approach for Advanced Malware Protection Network AMP Retrospective Security Continuous File Analytics Reputation Determination Defense Center Sourcefire Sensor # # Client based AMP SaaS Manager AMP Malware license No Need for Client Small code (like a printer driver) host and mobile devices Checking of file copying / execution /moving Traps fingerprint & attributes Queries cloud for file deposition

Dynamic Analysis: Process Overview File Detected on FirePOWER - Calculates hashes - Saves a copy if policy dictates* FirePOWER Appliance 1892y sk)sd FireSIGHT Management Hash metadata sent to AMP Cloud AMP Cloud Response: E.g. - Disposi+on = Unknown - Threat Score = Unknown * File is sent to VRT Services Cloud for Dynamic Analysis* (if policy dictates) 1892y sk)sd Dynamic analysis:* - Analysis queue Status - Error Status - Threat Score <op+onal proxy*> <op+onal proxy*> Sourcefire Cloud Services VRT Dynamic Analysis Cloud* (Files) FireAMP Cloud (Metadata / Hashes) * = New with 5.3

Advanced Malware Detection Detection lattice considers content from each engine for real time file disposition One-to-One Signature Machine Learning Advanced Analytics Fuzzy Fingerprinting Dynamic Analysis Cloud-based delivery results in better protection plus lower storage & compute burden

Private Cloud Local Decision (VM) Capability Private Cloud Public Cloud File/Device Trajectory Threat Root Cause IOC and alerting Simple and Custom detection Cloud Lookups/Retrospective Alerting File Analysis -

Retrospective Security Always Watching Never Forgets Turns Back Time Continuous Analysis - Retrospective detection of malware beyond the event horizon Trajectory Determine scope by tracking malware in motion and activity File Trajectory Visibility across organization, centering on a given file Device Trajectory Deep visibility into file activity on a single system

File Trajectory Quickly understand the scope of malware problem Network + Endpoints Looks ACROSS the organization and answers: What systems were infected? Who was infected first ( patient 0 ) and when did it happen? What was the entry point? When did it happen? What else did it bring in?

File Trajectory Who was Patient 0? Introduc+on

File Trajectory How is it distributed? Introduc+on Sent by mail (thunderbird)

File Trajectory What else happened? Click! View the progression and propagation of advanced malware throughout the environment

Network File Trajectory View the path a file took through the network it reach its destination Works with files of any disposition Not just malware Uses SHA256 to uniquely identify a file Available for file types where a SHA256 is calculated PDF, EXE, JAR, SWF, Word, Excel, Powerpoint, etc Requires the following A File Policy to be enabled Malware detection or blocking as file action (to generate the SHA256) File Trajectory Link

AMP configuration in FirePOWER

Device Trajectory Break the reinfection lifecycle with fast root cause analysis + Endpoint Looks DEEP into a device and helps answer: How did the threat get onto the system? How bad is my infection on a given device? What communications were made? What don t I know? What is the chain of events?

Device Trajectory

AMP Device trajectory 37

AMP Context Explorer Details 38

AMP Context IOC s Indicators of Compromise Monitor and Analyse files potential Malware traits Monitors the now & retrospectively convicts files Filters and sorts the most important events Tells the analyst what is happening to reduce TCO Quick links to trajectory Search for SHA s (fingerprints, list all computers that have the file 39

Sourcefire Advanced Malware Protection Complete solution suite to protect the extended network FireAMP for hosts, virtual and mobile devices Dedicated Advanced Malware Protection (AMP) appliance Advanced Malware Protection for FirePOWER (NGIPS, NGFW) Cisco Email and Web Security Appliances

New Advanced Malware Protection Appliances More memory, storage, and CPU capacity for dedicated AMP processing 500 Mbps of Adv. Malware Protection 120G storage AC power only 4 Fixed Copper (Configurable Bypass) 8 Non-bypass SFP ports 2 Gbps of Adv. Malware Protection 400G storage AC and DC power options 3 x Netmod Slots No stacking AMP7150 AMP8150

Using Security Intelligence

Security Intelligence in FireSIGHT (NGIPS & NGFW) SI Events in a Separate Table Enables improved SI event storage outside of connection events Enables improved dashboard views of SI data E.g. Hosts that have connected to CNC servers What Kind of Events? Botnet C&C Traffic / Known Attackers / Open Proxies/Relays Malware, Phishing, and Spam Sources Allows creation of custom lists. Download lists from Sourcefire or third parties.

Security Intelligence View Analysis Connections Security Intelligence

Indications of Compromise (IOC) (NGIPS) Different Event Sources IPS events (Snort) FireAMP events (endpoint) Malware events (network) Security Intelligence (network + endpoint) What Do They Mean? Has it been targeted by a type of network attack? (snort) Has it downloaded malware? (Snort, FireAMP, Malware) Has it executed malware? (FireAMP) Has it connected to a CNC server? (Snort, FireAMP, SI) Welcome to Host and Event Correlation - IOC Style! Correlates different events with the hosts involved Another detection method and way of prioritizing analyst s focus Similar to FireAMP capabilities but for the network 4

IOC Dashboard Widget What are the threats to my environment? à What is owned in my environment? Host Number of IOCs set against the host Click to expand

A host profile view

IOC Data In Context Explorer

Demonstration @ Defense Center - Traffic Anomaly -> Context Explorer - C&C communication -> Security Intelligence - Really dangerous attacks -> Impact Flag - Suspicious activity -> Indicators of Compromise - Malware trajectory > Network AMP - Suspicious file threat score > AMP, file capture - Policy violation > Correlation dashboard - Reporting -> Templates, Scheduling 2013-2014 49

Q&A

Prosíme, ohodnoťte tuto přednášku Děkujeme

Backup Slides

Reports

Reports Can be launched directly from dashboard

Reports Template created from the dashboard

Custom Report Designer Templates can be customized or created

Report Malware Threats Malware Threats Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Application Protocols Transferring Malware Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Threat Detections over Time Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected Threat Name Count W32.Trojan.Breach.VRT 178 CryptRedol:FakeAlert-tpd 141 FakeAlert:XPACK-tpd 141 Packed_NSPack:Bifrose-tpd 82 Lamechi:Downloader-tpd 78 Trojano:VBTroj-tpd 75 Troxa:Kunkka-tpd 75 Bifrose:Trojan-tpd 74 MalwareF:Trojan-tpd 64 Packed_NSPack:Backdoor-tpd 52 Troj_Generic:Small-tpd 48 Suspicious_F:Downloader-tpd 44 Troxa:Rootkit-tpd 40 Goldun-tpd 39 Kunkka:Troxa-tpd 38 Application:BHO-tpd 37 Lamechi:MalOb-tpd 37 Downloader:Trojano-tpd 36 Bifrose:Pakes-tpd 36 Goldun:Sality-tpd 34 Hosts Receiving Malware Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected Application Protocol Count HTTP 6,619 Receiving IP Count 255.255.255.255 153 172.16.0.96 35 10.110.10.70 35 64.4.121.227 33 10.110.10.207 32 192.168.0.221 27 10.110.10.69 27 10.131.12.161 26 64.4.23.145 26 128.0.87.8 25 131.75.18.56 25 10.120.10.51 23 10.0.108.9 9 10.0.192.148 7 10.0.57.21 7 10.0.37.104 7 10.0.37.117 6 10.0.168.109 6 10.0.231.20 6

Report Malware Threats Hosts Sending Malware Malware Intrusions Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected Sending IP Count 255.255.255.255 118 192.168.0.6 34 32.5.65.242 33 204.16.109.235 33 69.27.40.174 31 Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Message = BLACKLIST,MALWARE Message OS-WINDOWS Microsoft Malware Protection Engine file processing denial of service attempt (1:17306) Count 11 10.112.10.180 29 10.131.13.211 27 192.168.0.123 26 172.16.0.167 25 128.0.18.102 25 172.16.141.39 25 204.16.62.200 24 10.0.69.136 11 10.0.164.120 10 172.16.0.94 9 10.0.231.105 9 10.0.57.66 9 10.0.95.22 9 10.0.231.28 9 10.0.112.147 9 File Types Infected with Malware Users Affected by Malware Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected File Type Count MSEXE 5,981 User Count PDF 515 RAR 73 ZIP 50 Reports

Custom Reports Designer

Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback