Sourcefire and ThreatGrid. A new perspective on network security

Similar documents
Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Introduction to the Cisco Sourcefire NGIPS

Network Visibility and Advanced Malware Protection. James Weathersby, Director Technical Marketing Gyorgy Acs, Consulting Security Engineer

Cisco Advanced Malware Protection. May 2016

Agile Security Solutions

Cisco ASA 5500-X NGFW

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Protection - Before, During And After Attack

The Internet of Everything is changing Everything

Cisco Advanced Malware Protection against WannaCry

Cisco Advanced Malware Protec3on

Cisco Security Exposed Through the Cyber Kill Chain

Cisco ASA with FirePOWER Services

Design and Deployment of SourceFire NGIPS and NGFWL

Advanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe

The Importance of Threat-Centric Security

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Snort: The World s Most Widely Deployed IPS Technology

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

The Importance of Threat-Centric Security

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Advanced Malware Protection for Networks

The Internet of Everything is changing Everything

Cisco AMP Solution. Rene Straube CSE, Cisco Germany January 2017

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Cisco Advanced Malware Protection for Networks

Advanced Malware Protection: A Buyer s Guide

Security Experts Webinar

Cisco Advanced Malware Protection for Endpoints

Cisco Advanced Malware Protection for Endpoints. Donald J Case BizCare, Inc. Saturday, May 19, 2018

Intelligent Cyber Security for Real World

Expert Reference Series of White Papers. Cisco Completes the Security Picture with Sourcefire

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

We re ready. Are you?

An Investment Checklist

Security for the real World NG IPS Jean-Paul Kerouanton Sourcefire, Inc.

Compare Security Analytics Solutions

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

NGFW Requirements for SMBs and Distributed Enterprises

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Lastline Breach Detection Platform

Cisco ASA with FirePOWER Services

File Policies and AMP for Firepower

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Data Center Security. Fuat KILIÇ Consulting Systems

Fully Integrated, Threat-Focused Next-Generation Firewall

FIREWALL BEST PRACTICES TO BLOCK

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

AMP for Endpoints & Threat Grid

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

RSA Security Analytics

File Policies and Advanced Malware Protection

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Gladiator Incident Alert

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Threat Centric Network Security

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

CloudSOC and Security.cloud for Microsoft Office 365

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Monitoring the Device

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Easy Setup Guide. Cisco ASA with Firepower Services. You can easily set up your ASA in this step-by-step guide.

Juniper Sky Advanced Threat Prevention

Synchronized Security

SilverBlight. Craig Williams Sr. Technical Leader / Security Outreach Manager Cisco and/or its affiliates. All rights reserved.

Building Resilience in a Digital Enterprise

Automated Threat Management - in Real Time. Vectra Networks

Licensing the Firepower System

Build a Software-Defined Network to Defend your Business

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Cisco ASA with FirePOWER Services

McAfee Advanced Threat Defense

Deploying Intrusion Prevention Systems

JUNIPER SKY ADVANCED THREAT PREVENTION

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Access Control Using Intrusion and File Policies

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Key Security Measures to Enable Next-Generation Data Center Transformation

Protecting Your Digital Business: The Case for Next-Generation Intrusion Prevention

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Stop Threats Before They Stop You

Information Security Specialist. IPS effectiveness

FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

CYBER SECURITY. formerly Wick Hill DOCUMENT* PRESENTED BY I nuvias.com/cybersecurity I

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Access Control Using Intrusion and File Policies

A Deep Dive into the Firepower Manager

Cisco Next Generation Firewall Services

THE ACCENTURE CYBER DEFENSE SOLUTION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Cisco s Appliance-based Content Security: IronPort and Web Security

Transcription:

Sourcefire and ThreatGrid A new perspective on network security

Agenda An overview of traditional IPS solutions Next-Generation IPS Requirements Sourcefire Next-Generation IPS Advanced Malware Protection ThreatGRID

If you knew you were going to be compromised, would you do security differently?

It s no longer a question of if you ll be breached it s a matter of when?.

How do they do it? Hacker Houses contracted to infiltrate our organization Survey Write Test Execute Accomplish What is the antivirus solution currently used? What are the countermeasures? Create malicious code specially designed for the customer s environment. Test malicious code against a security solution replica. Launch the attack. Data exfiltration. Strategic data removal.

Problems with Traditional IPS Technology - Doesn t give you much information to go on - Requires you to spend weeks tuning - Gives you a false sense of security the IPS is your Silver Bullet - Overwhelms you with irrelevant events - Results: - IPS is minimally effective or isn t used - Massive amounts of time spent on tunning policies/signatures - Companies exploited

Getting most of IT security with your Next-GEN IPS -Identify the attackers and hosts that really matter for company s business -Receive contextual awareness info about critical attacks: who, when, how, why and when - Gain full network visibility in terms of: - Applications used: - Endpoint types: - Files transferred throughout the network (who was the first one to access a specific malware file; what is the origin of the outbreak?) - Connections (who owns this IP, what s the origin country? How much data did he accesed/transferred?)

Who is SourceFire? Founded in 2001 - Led by cyber-security-focused individuals -Security from Network to Endpoint to Cloud - Market leader in (NextGen)IPS - Groundbreaking Advanced Malware Protection solution -Innovative 52+ patents issued or pending - Pioneer in NextGenIPS, context-driven security, advanced malware protection - World-class research capability (VRT) -Owner of major Open Source security projects: - Snort, ClamAV, Razorback -Bought by Cisco on October, 2013

Open Source SNORT - Created in 1998 by Marting Roesch - Snort combines the benefits of signature, protocol, and anomaly-based inspection. - Snort is the most widely deployed IDS/IPS technology worldwide. - With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS. - World s largest threat response community - Owned and controlled by Cisco/Sourcefire - Interoperable with other security solutions

Cisco ASA with FirePOWER Services Instrustry s First Adaptive, Threat-Focused NGFW Cisco ASA -World s most widely deployed stateful firewall - Identity-Policy Control & VPN - Best in class with availability & clustering -TCP normalization, TCP Intercept, NAT, Routing Sourcefire - Industry-leading next-generation IPS - Application Visibility and Control - Built-in network profiling - URL Filtering to enforce Acceptable Use Policy - Advanced Malware Protection - FireSight Analytics & Automation

ASA + Sourcefire = Cisco ASA FirePOWER Services WWW Clustering & High Availability Intrusion Prevention (subscription) FireSIGHT Analytics & Automation Advanced Malware Protection (subscription) URL Filtering (subscription) Network Firewall Routing Switching Application Visibility & Control Built-in Network Profiling Identity-Policy Control & VPN CISCO ASA

FireSIGHT Management Center - Centralized management and analysis - Customisable reports, alerts, dashboards - Centralised policy administration - High availability - Available both as hardware/virtual appliances - Automatically discovers and catalogues all network devices and services - Features automated tunning adjust policies automatically - Associates users with security and compliance events - Mandatory for any Sourcefire installation!

Sourcefire Network Discovery Gaining Full Network Visibility CATEGORIES EXAMPLES FirePOWER Services TYPICAL IPS TYPICAL NGFW Threats Attacks, Anomalies Users AD, LDAP, POP3 Web Applications Facebook Chat, Ebay, Gmail Application Protocols HTTP, SMTP, SSH, Telnet File Transfers PDF, Office, EXE, JAR, CAB Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE10, BitTorrent Network Servers Apache 2.4, IIS7, Operating Systems Windows, Linux, Mac Routers & Switches Cisco, Juniper Mobile Devices iphone, Android Printers HP, Xerox, Canon VoIP Phones Cisco, Avaya Virtual Machines VMware, Xen, RHEV

Sourcefire Context Explorer - Network Discovery

Impact Assesement -Relies on information obtained from passive discovery: OS, client and server apps - Correlates all intrusion events to an Impact of the attack against the target. -Allows analysist to focus on the smaller subset of events that they could be vulneralable to.

Application Control - Control access for aplications, devices or users - Enforces an application acceptable use policy across the enterprise - Identifies over 3000 apps, devices and more - Can use OpenAppID an applicationfocused detection language module for Snort that enables users to create, share and implement application detection.

URL Filtering -Blocks non-businessrelates sites using URL categories - Can be based on users, user groups, subnets, etc.

IPS Policies - Sourcefire can automate IPS policy tunning. - Can recommend signatures/event configurations based on the results obtained from network discovery. - By default, one can apply some standard IPS policies (connectivity over security, balanced connectivity and security, etc.)

Indication of Compromise (IOC) 1 - IOC tags a host that is suceptable of being infected with malware. - IOC data can give you a clear, direct picture of the threats to your monitored network as they relate to its hosts. 2 3 4

ASA + Sourcefire = Cisco ASA FirePOWER Services NSS Labs Results - Best Threat Effectiveness - Highest throughput - Most Sessions - Best Value (lowest TCO/protected Mbps) "For the past five years, Sourcefire has consistently achieved excellent results in security effectiveness based on our real-world evaluations of exploit evasions, threat block rate and protection capabilities. Vikram Phatak, CTO NSS Labs, Inc. Top Ratings (8260) * 98.9% detection & protection 34Gbps inspected throughput 60M concurrent connections $15 TCO / protected Mbps

ASA with FirePOWER Services

Licensing Subscription Packages 1 and 3 years terms Application Visibility and Control is part of the default offering Application Visibility and Control updates are included in SMARTnet

Advanced Malware Protection Attack Continuum Model Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Antivirus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context

Advanced Malware Protection Protection Framework 1-to-1 Signatures Spero Device Flow Correlation Dynamic Analysis Ethos IOCs Advanced Analytics

Advanced Malware Protection Retrospective Framework Typical Analysis file 1-to-1, Fuzzy, Machine Learning, Sandboxing, etc; Disposition = CLEAN Analysis Stops After Initial Disposition x Actually Disposition = BAD too late! time Sleep techniques Unknown protocols Encryption Performance Continuous Analysis file Initial Disposition = CLEAN Analysis Continues x Retrospective Alert sent later when Disposition = BAD time When you can t detect 100%, visibility is critical

Advanced Malware Protection Cloud Intelligence Cisco SIO I00I III0I III00II 0II00II I0I000 0110 00 10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00 Sourcefire VRT 101000 0II0 00 0III000 III0I00II II II0000I II0 (Vulnerability Research Team) 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% WWW Email Endpoints Web Networks IPS Devices worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages Automatic Updates every 3-5 minutes TALOS 180,000+ File Samples per Day FireAMP Community, 3+ million Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Private and Public Threat Feeds Dynamic Analysis

Advanced Malware Protection Deployments Endpoint AMP Network AMP

Third-party integration with Sourcefire Cisco Identity Services Engine - relies on APIs to quarantine attacker s IP address using Endpoint Protection Services - quarantines attacker based on Sourcefire instrusion events F5 Networks BIG IP - connects to BIG IP and creates irules on demand in order to protect virtual servers - denies attacker access to virtual-server, based on Sourcefire intrustion events Remote SSH Command Remediation - can be used with any 3 rd party vendor in order to block the IP address of the attacker - includes the capability to run in privilege mode

Advanced Malware Protection ThreatGRID -High-speed, automated analysis and adjustable runtimes -Does not expose any tags or indicators that malware can use to detect that it is being observed -Can observe a greater number of behaviors - Video playbacks - Glovebox for malware interaction and operational troubleshooting - Process Graph for visual representation of process lineage - Threat Score & Behavioral Indicators - Search and correlate all data elements of a single sample against billons of sample artifacts collected and analyzed over years (global and historic context) - Enable the analyst to better understand the relevancy of sample in question to one s environment - Architected from the ground up with an API to integrate with existing IT security solutions (Automatically receive submissions from other solutions and pull the results into your environment)

AMP ThreatGrid Report Sample For a live session visit us @Datanet / Cisco Connect

Short video AMP

KEY TAKE-AWAY POINTS ASA with FirePOWER Services IPS Intrusion Prevention System AVC Application Visibility and Control URL filtering AMP for networks and endpoints File trajectory and file retrospections Passive network discovery Indication of Compromise AMP Threat Grid Malware Analysis & Threat Intelligence

eve in more believe in secur

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback