agile security solutions - cisco...agile security solutions piotr linke ... based on user and user...
TRANSCRIPT
Agile Security Solutions Piotr Linke
Security Engineer
CISSP CISA CRISC CISM
2
Open Source SNORT
3
Consider these guys…
All were smart. All had security. All were seriously compromised.
4 Icons: attack vectors
Attackers and defenders drive each other to innovate… …resulting in distinct threat cycles
The Industrialization of Hacking
VIRUSES
MACRO VIRUSES
APTs MALWARE
WORMS HACKERS
1985 1995 2000 2005 2010
SPYWARE / ROOTKITS
Goal: Glory, mode: Noise Goal Profit, mode: Stealth
5
So what are you trying to protect…?
SERVER INFRASTRUCTURE DESKTOPS
BYOD USERS
6
Who are we fighting with?
6
7
Black Hole v2
8
Black Hole v2
9
Nuclear Pack 2.0
10
Note the advertising strip.
11
Agile Security process
12
Lockheed Martin’s “APT Kill Chain”
13
APPLIANCES | VIRTUAL
NGFW NGIPS AMP
One platform addresses entire attack continuum through software licenses
BEFORE See it,
Control it
DURING Intelligent &
Context Aware
AFTER Retrospective
Security
14
Sourcefire Agile Security Solutions
COLLECTIVE
SECURITY
INTELLIGENCE
Management Center APPLIANCES | VIRTUAL
NEXT- GENERATION
FIREWALL
NEXT- GENERATION INTRUSION
PREVENTION
ADVANCED MALWARE
PROTECTION
CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE
APPLIANCES | VIRTUAL
15
FireSIGHT is built into all Sourcefire next-generation security solutions to provide the network intelligence and context you need to respond to changing conditions and threats.
FireSIGHT™ Saves Money and Improves Security
IT Insight Spot rogue hosts, anomalies, policy
violations, and more
Impact Assessment Threat correlation reduces
actionable events by up to 99%
Automated Tuning Adjust IPS policies automatically
based on network change
User Identification Associate users with security
and compliance events
17
FirePOWER supports a range of Sourcefire security solutions with unmatched performance, threat protection and energy efficiency.
18
FirePOWER™ Hardware Features
LCD Display Quick and easy headless configuration
Device Stacking Scale monitoring capacity through stacking
Connectivity Choice Change and add connectivity inline with network requirements
Hardware Acceleration For best in class throughput, security, Rack size/Mbps, and price/Mbps
Lights Out Management Minimal operational impact SSD
Solid State Drive for increased reliability
Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments
19
7030
8270
8260
8250
8140
8120
7120
All appliances include: • Integrated lights-out management
• Sourcefire acceleration technology
• LCD display
7110
7020
7010
20 Gbps
10 Gbps
6 Gbps
4 Gbps
2 Gbps
1 Gbps
500 Mbps
250 Mbps
100 Mbps
50 Mbps
SSL2000
IPS Throughput
Modula
r C
onnectivity
Sta
ckable
8130
SSL1500 1.5 Gbps
40 Gbps
30 Gbps
8290
SSL8200
FirePOWER™ Appliances
7125
750 Mbps 7115
1.25 Gbps
Fix
ed C
onnectivity
Mix
ed / S
FP
NG
IPS
/ A
pp
Co
ntr
ol /
NG
FW /
AM
P
20
What is a Next-Generation IPS?
defining_nextgeneration_netw_218641.pdf
Gartner Definition Sourcefire
Support bump in the wire configuration without disrupting network traffic
✔
Act as a platform for network traffic inspection and intrusion detection and enforcement
• Standard first generation IPS capabilities • Application awareness and full-stack visibility • Context awareness • Content awareness • Agile engine
✔ ✔ ✔ ✔ ✔ ✔
21
Next Generation Firewall (NGFW) with Application Control
22
Reduce Risk Through Granular Application Control
Control access for applications, users and devices
→ “Employees may view Facebook, but only Marketing may post to it”
→ “No one may use peer-to-peer file sharing apps”
Over 2300 apps, devices, and more!
23
Block non-business-related sites by category
Based on user and user group
Provide URL reputation information
URL Filtering and reputation
24
Advanced Malware Protection (AMP)
25 25
FireAMP Building Blocks Visibility and Control
Lightweight Connector
•Watches for move/copy/execute •Traps fingerprint & attributes
Web-based Manager
•Transaction Processing
•Analytics
•Intelligence
Mobile Connector
•Watches for apps •Traps fingerprint & attributes
Advanced Malware Protection
• Network Defense Against Malware
• Identifies and Blocks Malicious Files
26
Comprehensive AMP Features
Feature Benefit Network Endpoint
Malware Detection and
Blocking
Stop malware before it can compromise systems
At the network and endpoints ✔ ✔
Retrospective Detection Turn back the clock against malware
Continuous, persistent monitoring of files for retrospective malware detection/blocking ✔ ✔
File Trajectory Quickly understand the scope of the malware problem
Malware tracking and visualization of malware and suspicious files across the network ✔ ✔
Device Trajectory Deep analysis of root causes
Visualization of system level activities for root cause determination ✔
Device Flow Correlation Stop proliferation of malware and root causes at the endpoint
Block malware communication and dropper activity at the endpoint ✔
File Analysis Fast and safe file forensics
Full file analysis to quickly understand malware and file behavior ✔
Outbreak Control Quickly stop malware from spreading
Control a suspicious file or malware outbreak across endpoints ✔
Indications of
Compromise
Spotlight systems at risk of active breach
Prioritized list of compromised devices with links to inspect and remediate the problem ✔
27 27
Visibility & Control with FireAMP
Reporting
Trajectories
Analysis (Sandbox)
Control (Compliance)
28 28
Spotlight: Reporting
Customize by Group – Schedule or On Demand
Applications Introducing Malware
Threats Resident on First Scan
Possible APT
29 29
Spotlight: File Trajectory
Malware “Flight Recorder” shows point of entry and extent of outbreak
Discover the malware
gateway to reduce the
risk of re-infection
Identify systems that
have
downloaded/executed
a specific malware file
30 30
Spotlight: Device Trajectory
Extremely powerful malware behavioral analysis
and forensics tool.
Analyze operating
system behavior
prior, during and post
infection
Trace each stage of
infection and
communication to
other internal and
external hosts
31 31
FireAMP Mobile
Advanced Malware Protection Using Big Data Analytics
Visibility: detect & analyze
▸ Android (2.1+) threats
▸ Cloud-based, real time
Control: contain & remediate
▸ Blacklists
Enterprise Ready
32 32
Leverages VMware’s EPSec API to integrate with vShield
Deployed as virtual appliance on each host
Managed via FireAMP’s cloud portal
FireAMP Virtual
Note: Because file activity is offloaded,
File Trajectory will not display parent SHA
33
Continuous analysis
Never forgets
Network and devices
Retrospective Alerting
What systems are affected? What is the point and method of entry?
Turns back the clock against malware
34
Collective Security Intelligence
Collective Security Intelligence
Private & Public Threat Feeds
File Samples (>180,000 per day)
Advanced Microsoft & Industry Disclosures
FireAMP™ Community
Snort® & ClamAV™ Open Source Communities
Sourcefire AEGIS™ Program
IPS Rules
Malware Protection
Reputation Feeds
Vulnerability Database Updates Sourcefire
Vulnerability
Research
Team
Sandboxing Machine Learning
Big Data Infrastructure
SPARK Program
Honeypots Sandnets
36
Protecting Your Network
2 SEU/SRU, 1 VDB
updates per week 2
> 10 CVE’s covered per day
>250,000 malware submissions
per day
4,310 new IPS
rules
100% Same-day protection for Microsoft vulnerabilities
98.9% Vulnerability
coverage per NSS Labs IPS group test
37
STP and a Threat Centric Ecosystem
38
Thank you very much for attention!