Security for the real World NG IPS Jean-Paul Kerouanton Sourcefire, Inc. Prepared for:
Agenda Your Security Challenges About Sourcefire A New Approach How It Works Products & Services Questions & Next Steps 2
Let s Solve Problems What are your challenges? How are they being addressed today? What s your ideal solution? How are you organized? What is your timeframe for this project? 3
Why an IPS? (1) Vulnerability exposure just happen as you use software (+5 CVE / day in 2010) Average time for patching counts in months Personal usage of the internet by employees increase exposure Malware Targeted fishing SSL (gmail ) Social networks Smartphones 4
Why an IPS (2) 100% of modern attacks use authorised traffic, accounts and privileges on your network Most of modern attacks are designed not to destroy but to ex-filter information without being detected Stuxnet (SCADA) Aurora (IE Vuln) Destroyer worms and BotNets are still real and active 5
NGIPS : Definition
Today s Reality Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure. Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., The Future of Information Security is Context Aware and Adaptive, May 14, 2010 Dynamic Threats Organized attackers Sophisticated threats Multiple attack vectors Static Defenses Ineffective defenses Black box limits flexibility Set-and-forget doesn t work 7
About Sourcefire
About Sourcefire Mission: To be the leading provider of intelligent cybersecurity solutions for the enterprise. Founded in 2001 by Snort Creator, Martin Roesch, CTO Headquarters: Columbia, MD Focus on enterprise and government customers Global Security Alliance ecosystem NASDAQ: FIRE 9
Powered by Snort Global standard for Intrusion Detection and Prevention World s largest threat response community Interoperable with other security products Owned and controlled by Sourcefire, Inc. www.snort.org 10
Backed by the VRT 150+ Private & Public Threat Feeds Snort & ClamAV Community Insight Advanced Microsoft & Industry Disclosure 20,000 Malware Samples per Day Sourcefire Vulnerability Research Team (VRT) Research & Analysis Best-in-Class Threat Protection 11
A New Approach
Traditional IPS vs. Next-Generation IPS Traditional IPS Next-Generation IPS Closed & Blind Architecture Open & Customizable None or Limited Awareness Visibility & Intelligence 13 Human Intensive Automation Self Tuning & Precision
14 Traditional IPS vs. Next-Generation IPS
14 Traditional IPS vs. Next-Generation IPS
Traditional IPS vs. Next-Generation IPS Traditionnal IPS 14 300-1000
Traditional IPS vs. Next-Generation IPS Traditionnal IPS 14 300-1000
Traditional IPS vs. Next-Generation IPS Traditionnal IPS 14 300-1000
Traditional IPS vs. Next-Generation IPS Traditionnal IPS 14 300-1000
Traditional IPS vs. Next-Generation IPS Traditionnal IPS 14 300-1000
Traditional IPS vs. Next-Generation IPS Traditionnal IPS 14 300-1000
15 Traditional IPS vs. Next-Generation IPS
15 Traditional IPS vs. Next-Generation IPS
15 Traditional IPS vs. Next-Generation IPS
15 Traditional IPS vs. Next-Generation IPS
15 Traditional IPS vs. Next-Generation IPS
15 Traditional IPS vs. Next-Generation IPS
15 Traditional IPS vs. Next-Generation IPS
Next-Gen IPS The Power of Awareness Network Know what s there, what s vulnerable, and what s under attack Application Identify change and enforce policy on hundreds of applications Behavior Detect anomalies in configuration, connections and data flow Identity Know who is doing what, with what, and where 16
Next-Gen IPS Highly Automated Operation Real Time, All the Time! 17
How It Works
19 Context is everything
Context is everything How much security context would you like? 19
Context is everything Event:!! Attempted Privilege Gain Target:!! 96.16.242.135 19
Context is everything Event:!! Target:!! Host OS:! Applications:! Location:! Attempted Privilege Gain 96.16.242.135 (vulnerable) Blackberry Mail, Browser, Twitter Whitehouse, US Event:!! Attempted Privilege Gain Target:!! 96.16.242.135 19
Context is everything Event:!! Attempted Privilege Gain Target:!! 96.16.242.135 (vulnerable) Host OS:! Blackberry Applications:! Mail, Browswer, Twitter Location:! Whitehouse, US User ID:!! bobama Full Name:! Barack Obama Department:! Executive Branch Event:!! Target:!! Host OS:! Applications:! Location:! Attempted Privilege Gain 96.16.242.135 (vulnerable) Blackberry Mail, Browser, Twitter Whitehouse, US Event:!! Attempted Privilege Gain Target:!! 96.16.242.135 19
20 Monitor equipment configurations
Monitor equipment configurations Sample real-time Network map Create Baseline Compliance Map Compare for differences 20
Monitor equipment configurations Sample real-time Network map Create Baseline Compliance Map Compare for differences Actionable Event 20
Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Rule Mix PCN PCN IPS Asset Discovery Defense Center 21
Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Network attacks Rule Mix IPS PCN PCN Detected Incidents Asset Discovery Defense Center 21
Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Network attacks Rule Mix IPS PCN PCN Detected Incidents 1 Impact Correlation Asset Discovery Defense Center 21
Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Rule Mix Network attacks IPS False negatives PCN PCN Detected Incidents 1 Asset Discovery Defense Center 21
Putting it all together Increasing accuracy in dynamic networks Pre-processor configuration Rule Mix Network attacks IPS False negatives PCN PCN Updated Preprocessor configuration Detected Incidents Updated Rule Mix 1 Asset Discovery Automatic Rules Tuning Defense Center 21
Putting it all together Increasing accuracy in dynamic networks Updated Preprocessor Pre-processor configuration configuration Network attacks Updated Rule Rule Mix Mix IPS PCN PCN Detected Incidents 1 Asset Discovery Defense Center 21
Sourcefire Products
Mgmt Next-Generation IPS Products Defense Center Management Console Technologies Nextgeneration IPS Awareness 23 SSL Inspection Virtual Products
24 Sourcefire 3D system components
Sourcefire 3D system components Discover In-line IPS Sensing Network Passive In-line RNA Passive In-line RUA Passive 24 G/bit copper or fiber
Sourcefire 3D system components Discover Determine Sensing Network In-line IPS Passive Typically, 1Kb / event In-line RNA Typically. 100 bytes / event DC Passive In-line RUA Management Network Passive G/bit copper 24 G/bit copper or fiber
Sourcefire 3D system components Discover Determine Defend Sensing Network In-line IPS Passive Typically, 1Kb / event Email, SNMP, Syslog,SSL In-line RNA Typically. 100 bytes / event DC Firewall, IPS, Switchers, Routers Passive In-line RUA Management Network Configuration and Compliance Mgmt. Passive G/bit copper 24 G/bit copper or fiber
25 Sourcefire 3DSensors
Sourcefire 3DSensors De 5Mbps à 10Gbps Connectivité 1G Cuivre/fibre 10G LR 10G SR Cartes failopen intégrées Configuration de 4 à 12+ ports Dimensionnement: Débit #ports #instances 10/20 Gbit/s 4 Gbit/s 2 Gbit/s 1Gbit/s 500 Mbit/s 250 Mbit/s 100 Mbit/s 45 Mbit/s 5 Mbit/s 3D9900 3D6500 3D4500 3D3500 3D2500 3D2100 3D2000 3D1000 3D500 3 body plans 25
Why Sourcefire? Powered by Snort Driven by Awareness Best-in-Class Detection Open Architecture Highly Automated Stop Doing Things the Old Way! Try the Next Generation in Intrusion Detection & Prevention. 26
27 Questions & Next Steps
28 Demo System