Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Similar documents
Design and Deployment of SourceFire NGIPS and NGFWL

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků

Agile Security Solutions

Cisco Firepower NGIPS Tuning and Best Practices

Cisco pxgrid: A New Architecture for Security Platform Integration

Introduction to the Cisco Sourcefire NGIPS

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Snort: The World s Most Widely Deployed IPS Technology

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

A Deep Dive into the Firepower Manager

Connection Logging. Introduction to Connection Logging

Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers

Connection Logging. About Connection Logging

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Protection - Before, During And After Attack

Simulating Networks Using Cisco Modelling Labs

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Introduction to Network Discovery and Identity

Cisco Cyber Threat Defense Solution 1.0

Key Security Measures to Enable Next-Generation Data Center Transformation

NXOS in the Real World Using NX-API REST

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Optimising SP Networks with WAN Automation Engine

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

ForeScout ControlFabric TM Architecture

PSOACI Tetration Overview. Mike Herbert

Threat Centric Network Security

Expert Reference Series of White Papers. Cisco Completes the Security Picture with Sourcefire

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Stop Threats Before They Stop You

Cisco ASA with FirePOWER Services

Next Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security

Enterprise Recording and Live Streaming Architecture with VBrick

Deploying Intrusion Prevention Systems

Get Hands On With DNA Center APIs for Managing Intent

DNA Assurance. Predict Network Failures Before They Become Issues

Un SOC avanzato per una efficace risposta al cybercrime

Cisco Firepower NGFW. Anticipate, block, and respond to threats

The following topics describe how to configure correlation policies and rules.

Integrated, Intelligence driven Cyber Threat Hunting

FireSIGHT Virtual Installation Guide

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

External Alerting with Alert Responses

ForeScout Extended Module for Carbon Black

Transforming Security from Defense in Depth to Comprehensive Security Assurance

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Stopping Advanced Persistent Threats In Cloud and DataCenters

The Internet of Everything is changing Everything

Workflows. Overview: Workflows

Workflows. Overview: Workflows. The following topics describe how to use workflows:

Connected Mobile Experiences (CMX) Aligning Use Cases and Technology

Licensing the Firepower System

Introduction to Network Discovery and Identity

Cisco Tetration Analytics

Cisco Advanced Malware Protection for Networks

Optimizing Security for Situational Awareness

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Cisco ASA 5500-X NGFW

Monitoring the Device

Automation with Meraki Provisioning API

Compare Security Analytics Solutions

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

You Can See Everything From Our Windows

RSA INCIDENT RESPONSE SERVICES

Why we need Intelligent Security? Juha Launonen Sourcefire, Inc.

Workflows. Overview: Workflows

Introduction to Cisco IoT Tools for Developers IoT 101

Novetta Cyber Analytics

NetBrain Technologies: Achieving Agile Network Operations: How Automation Can Improve Visibility Across Hybrid Infrastructures

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

Cisco Advanced Malware Protection for Networks

An Investment Checklist

Cisco ASA with FirePOWER Services

Introducing Cisco Network Assurance Engine

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Incident Response Agility: Leverage the Past and Present into the Future

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Enhanced Threat Detection, Investigation, and Response

Unlock the Power of Data

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Real time Location Services Overview and Use cases

RSA NetWitness Platform

An Introduction to Developing for Cisco Kinetic

Sourcefire and ThreatGrid. A new perspective on network security

The Internet of Everything is changing Everything

McAfee epolicy Orchestrator

RSA INCIDENT RESPONSE SERVICES

Licensing the Firepower System

with Advanced Protection

NGFW Requirements for SMBs and Distributed Enterprises

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

ForeScout Extended Module for Splunk

Cisco s Appliance-based Content Security: IronPort and Web Security

Transcription:

Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel

Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics Putting the Tools to Work Q & A 3

Analytics leverage data in a particular functional process (or application) to enable context-specific insight that is actionable Gartner

How Easy is it to Find Things?

Sourcefire Analytics Solution CONTEXT IS EVERYTHING! 6

The Sourcefire Solution

Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics Putting the Tools to Work Q & A 8

Traffic Network Discovery IPS NetworkAMP NGFW Rules Application Identification Stream Re-assembly IP Defragmentation Security Intelligence Packet Decode Data Acquisition URL Reputation User IP Mapping 9

AMP for Endpoints FireSIGHT Management Console FirePOWER Sensor FirePOWER Sensor FirePOWER Sensor FirePOWER Sensor 10

FireSIGHT Management Console Real-time Event Processing and Correlation Event Database Configuration Database Analytical Tool Set 11

Data Sources FirePOWER FireSIGHT 12

FirePOWER Event Data Network Discovery Events Statistics Events Intrusion Events File & Malware Events Connection Events. 13

FireAMP Events Endpoint Malware Detection Quarantine Data Restore Information Scan Data Indicators of Compromise FireSIGHT Management Console Events Indicators of Compromise Correlated Statistics Event Augmentation 14

Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics Putting the Tools to Work Q & A 15

FireSIGHT Context Context Context! Real-time Network Awareness Device User FireSIGHT Management Console Network Map Context through asset state 16

Indications of Compromise Correlation of security events Threat detected Security Intelligence Malware detection AMP endpoint 17

Intrusion Event Impact Flag Real-time threat Impact Assessment Leverage the Network Map 18

Demo

Flow Summaries Counters generated in real-time via key based connection event aggregation. Facilitates analytics over larger time ranges from a performance and retention perspective. 20

Time-series Statistics Fast, minimal storage, meaningfultrending data Gauges and Counters Sensor based stats are inclusive independent of logging policy Remember MRTG, RRDTool, Cacti? 21

Time-series Statistics Sensor generated statistics Application, User, URL Reputation, URL Category, File Extraction & Storage DC generated statistics IPS GEO (Country), Security Intelligence Compliance Whitelist 22

Correlation Engine Flexible Boolean rules engine functioning on the real-time event stream at the FireSIGHT Management Console. Comprehensive access to events and all their columns Arbitrarily complex rule conditions Host profile qualification Dynamic connection tracking triggered by rule criteria Responses Email, Syslog, SNMP Traps Remediation API driven subsystem to dynamically respond to triggering Correlation Rules. 23

Correlation Engine Anomaly Detection Compliance Whitelists Define a set of criteria against which to measure hosts on interest on your network Operating System Network Protocol, Application Protocol, Web Application, and Client Application Traffic Profiles Set a baseline for connections that meet all the complex criteria provided by the correlation engine then alert on aberrant behaviour 24

Demo

Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics Putting the Tools to Work Q & A 26

Event Viewer 27

Event Viewer Workflow system Pre-configured and Custom event roll-ups Single click constraints Build filters as you explore your data Event type pivots Unified constraints and time ranges Detail views Packet View, User History, Host Profile, File Trajectory Contextual actions IP Blacklisting, Intrusion Rule Suppression & Thresholding 28

Dashboard 29

Context Explorer Data exploration tool Visualisations of IoC, Network, Intrusion, File, App, User, and Geo info Advanced filtering across data silos Drill downs into detailed event analysis Accessible from analysis tools to provide context 31

Demo

Flexible Reporting Highly customisable and reusable report templates Generate reports based on dashboards and event views Scheduling support Multiple output formats Variable support for template reuse 33

Network File Trajectory Powerful visualisation approach influenced by the FireAMP product Allows for aggregation of FireAMP and NetworkAMP file intelligence to provide a comprehensive story of the lifecycle a file (or malware) within your enterprise. 34

Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics Putting the Tools to Work Q & A 35

Demo

Closing Real-time Analytics FireSIGHT Context Awareness Time-series Statistical Data Use Case Specific Correlation On-demand Analytics Event Viewer Context Explorer Dashboarding File Trajectory 2014 Cisco and/or its affiliates. All rights reserved. 37

Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 38

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/clmelbourne2015 Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback