agile security solutions - cisco...agile security solutions piotr linke ... based on user and user...

Agile Security Solutions Piotr Linke

Security Engineer

CISSP CISA CRISC CISM

2

Open Source SNORT

3

Consider these guys…

All were smart. All had security. All were seriously compromised.

4 Icons: attack vectors

Attackers and defenders drive each other to innovate… …resulting in distinct threat cycles

The Industrialization of Hacking

VIRUSES

MACRO VIRUSES

APTs MALWARE

WORMS HACKERS

1985 1995 2000 2005 2010

SPYWARE / ROOTKITS

Goal: Glory, mode: Noise Goal Profit, mode: Stealth

5

So what are you trying to protect…?

SERVER INFRASTRUCTURE DESKTOPS

BYOD USERS

6

Who are we fighting with?

6

7

Black Hole v2

8

Black Hole v2

9

Nuclear Pack 2.0

10

Note the advertising strip.

11

Agile Security process

12

Lockheed Martin’s “APT Kill Chain”

13

APPLIANCES | VIRTUAL

NGFW NGIPS AMP

One platform addresses entire attack continuum through software licenses

BEFORE See it,

Control it

DURING Intelligent &

Context Aware

AFTER Retrospective

Security

14

Sourcefire Agile Security Solutions

COLLECTIVE

SECURITY

INTELLIGENCE

Management Center APPLIANCES | VIRTUAL

NEXT- GENERATION

FIREWALL

NEXT- GENERATION INTRUSION

PREVENTION

ADVANCED MALWARE

PROTECTION

CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE

APPLIANCES | VIRTUAL

15

FireSIGHT is built into all Sourcefire next-generation security solutions to provide the network intelligence and context you need to respond to changing conditions and threats.

FireSIGHT™ Saves Money and Improves Security

IT Insight Spot rogue hosts, anomalies, policy

violations, and more

Impact Assessment Threat correlation reduces

actionable events by up to 99%

Automated Tuning Adjust IPS policies automatically

based on network change

User Identification Associate users with security

and compliance events

17

FirePOWER supports a range of Sourcefire security solutions with unmatched performance, threat protection and energy efficiency.

18

FirePOWER™ Hardware Features

LCD Display Quick and easy headless configuration

Device Stacking Scale monitoring capacity through stacking

Connectivity Choice Change and add connectivity inline with network requirements

Hardware Acceleration For best in class throughput, security, Rack size/Mbps, and price/Mbps

Lights Out Management Minimal operational impact SSD

Solid State Drive for increased reliability

Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments

19

7030

8270

8260

8250

8140

8120

7120

All appliances include: • Integrated lights-out management

• Sourcefire acceleration technology

• LCD display

7110

7020

7010

20 Gbps

10 Gbps

6 Gbps

4 Gbps

2 Gbps

1 Gbps

500 Mbps

250 Mbps

100 Mbps

50 Mbps

SSL2000

IPS Throughput

Modula

r C

onnectivity

Sta

ckable

8130

SSL1500 1.5 Gbps

40 Gbps

30 Gbps

8290

SSL8200

FirePOWER™ Appliances

7125

750 Mbps 7115

1.25 Gbps

Fix

ed C

onnectivity

Mix

ed / S

FP

NG

IPS

/ A

pp

Co

ntr

ol /

NG

FW /

AM

P

20

What is a Next-Generation IPS?

defining_nextgeneration_netw_218641.pdf

Gartner Definition Sourcefire

Support bump in the wire configuration without disrupting network traffic

✔

Act as a platform for network traffic inspection and intrusion detection and enforcement

• Standard first generation IPS capabilities • Application awareness and full-stack visibility • Context awareness • Content awareness • Agile engine

✔ ✔ ✔ ✔ ✔ ✔

21

Next Generation Firewall (NGFW) with Application Control

22

Reduce Risk Through Granular Application Control

Control access for applications, users and devices

→ “Employees may view Facebook, but only Marketing may post to it”

→ “No one may use peer-to-peer file sharing apps”

Over 2300 apps, devices, and more!

23

Block non-business-related sites by category

Based on user and user group

Provide URL reputation information

URL Filtering and reputation

24

Advanced Malware Protection (AMP)

25 25

FireAMP Building Blocks Visibility and Control

Lightweight Connector

•Watches for move/copy/execute •Traps fingerprint & attributes

Web-based Manager

•Transaction Processing

•Analytics

•Intelligence

Mobile Connector

•Watches for apps •Traps fingerprint & attributes

Advanced Malware Protection

• Network Defense Against Malware

• Identifies and Blocks Malicious Files

26

Comprehensive AMP Features

Feature Benefit Network Endpoint

Malware Detection and

Blocking

Stop malware before it can compromise systems

At the network and endpoints ✔ ✔

Retrospective Detection Turn back the clock against malware

Continuous, persistent monitoring of files for retrospective malware detection/blocking ✔ ✔

File Trajectory Quickly understand the scope of the malware problem

Malware tracking and visualization of malware and suspicious files across the network ✔ ✔

Device Trajectory Deep analysis of root causes

Visualization of system level activities for root cause determination ✔

Device Flow Correlation Stop proliferation of malware and root causes at the endpoint

Block malware communication and dropper activity at the endpoint ✔

File Analysis Fast and safe file forensics

Full file analysis to quickly understand malware and file behavior ✔

Outbreak Control Quickly stop malware from spreading

Control a suspicious file or malware outbreak across endpoints ✔

Indications of

Compromise

Spotlight systems at risk of active breach

Prioritized list of compromised devices with links to inspect and remediate the problem ✔

27 27

Visibility & Control with FireAMP

Reporting

Trajectories

Analysis (Sandbox)

Control (Compliance)

28 28

Spotlight: Reporting

Customize by Group – Schedule or On Demand

Applications Introducing Malware

Threats Resident on First Scan

Possible APT

29 29

Spotlight: File Trajectory

Malware “Flight Recorder” shows point of entry and extent of outbreak

Discover the malware

gateway to reduce the

risk of re-infection

Identify systems that

have

downloaded/executed

a specific malware file

30 30

Spotlight: Device Trajectory

Extremely powerful malware behavioral analysis

and forensics tool.

Analyze operating

system behavior

prior, during and post

infection

Trace each stage of

infection and

communication to

other internal and

external hosts

31 31

FireAMP Mobile

Advanced Malware Protection Using Big Data Analytics

Visibility: detect & analyze

▸ Android (2.1+) threats

▸ Cloud-based, real time

Control: contain & remediate

▸ Blacklists

Enterprise Ready

32 32

Leverages VMware’s EPSec API to integrate with vShield

Deployed as virtual appliance on each host

Managed via FireAMP’s cloud portal

FireAMP Virtual

Note: Because file activity is offloaded,

File Trajectory will not display parent SHA

33

Continuous analysis

Never forgets

Network and devices

Retrospective Alerting

What systems are affected? What is the point and method of entry?

Turns back the clock against malware

34

Collective Security Intelligence

Collective Security Intelligence

Private & Public Threat Feeds

File Samples (>180,000 per day)

Advanced Microsoft & Industry Disclosures

FireAMP™ Community

Snort® & ClamAV™ Open Source Communities

Sourcefire AEGIS™ Program

IPS Rules

Malware Protection

Reputation Feeds

Vulnerability Database Updates Sourcefire

Vulnerability

Research

Team

Sandboxing Machine Learning

Big Data Infrastructure

SPARK Program

Honeypots Sandnets

36

Protecting Your Network

2 SEU/SRU, 1 VDB

updates per week 2

> 10 CVE’s covered per day

>250,000 malware submissions

per day

4,310 new IPS

rules

100% Same-day protection for Microsoft vulnerabilities

98.9% Vulnerability

coverage per NSS Labs IPS group test

37

STP and a Threat Centric Ecosystem

38

Thank you very much for attention!