500 likes | 681 Views
Cisco and Sourcefire: A Threat-Centric Security Approach. 1. 1. 1. 1. 1. 1. 1. 1. 1. 1. ST. ST. ST. ST. ST. ST. ST. ST. ST. ST. Sourcefire More Than a Decade of Security Innovation. Multi- Gigabit IPS. Mgmt of Physical & Virtual IPS Sensors. Gigabit Intrusion Detection.
E N D
1 1 1 1 1 1 1 1 1 1 ST ST ST ST ST ST ST ST ST ST Sourcefire More Than a Decade of Security Innovation Multi-Gigabit IPS Mgmt of Physical & VirtualIPS Sensors Gigabit Intrusion Detection Network Behavior Analysis Real-time User Awareness Snort®-based IDS Appliance InlineIntrusion Prevention 20 Gbps IPS, SSL FirePOWER™7/8000 Series 40Gbps IPS FireAMP™Virtual/MobileIP Intelligence ‘12 2013… ‘01 ‘02 ‘08 ‘09 ‘03 ‘04 ‘05 ‘06 ‘07 ‘10 ‘11 NGIPS w/ App Ctrl, FireAMP™, “Big Data” infrastructure, AMP for FirePOWER Mixed-media 7115/ 7125 Appliances, AMP Appliance, Geo-location, Device & NW File Trajectory Centralized Intrusion Management Real-time Network Awareness IT Policy Compliance Rules Automated Impact Assessment AutomatedIPS Tuning, 10 Gbps IPS Portal-like, Customizable Dashboard NGFW 52Patents Awarded or Pending World-Class Vulnerability Research Team (VRT™)
Agenda • Sourcefire Background • Open Source Technology • The Security Problem • The New Security Model • Mapping Technologies to the Model • Visibility Is the Foundation • Sourcefire Technology Deep Dive • Customer Use Cases • Annual Security Report • Reduce Complexity and Increase Capability
Federal, state and local government Critical infrastructure Finance Technology Communications Pharmaceuticals Healthcare Media Retail Education Targeted Protection Addresses Your Challenges • Thousands of users worldwide • Industry-focused, customizable content • Strong community of contributors • High-performance for enterprise networks
Open Source Technology • Open source is about building great software in a collaborative manner with the people who will use it and giving them what they need to solve complex problems. • In the security context, it's also about building trust from the community of users by demonstrating technical excellence, trustworthiness, thought leadership and a considered approach to what is important as it relates to the problem at hand. • Legacy of Success (Linux, Apache, Snort) • Robustness of community • No ‘black box’ functionality, ‘back doors’ • Weaknesses exposed and corrected
If you knew you were going to be compromised, would you do security differently?
The New Security Model Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in time Continuous
Mapping Technologies to the Model Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Anti-Virus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context
Solutions Across the Continuum Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context
Visibility is the Foundation Workflow (automation) Engine • Understand scope, contain & remediate Breach • Focus on the threat – security is about detecting, • understanding, and stopping threats Threat APIs • Set policy to reduce surface area of attack Policy • Broad awareness for context Context
Visibility Enables Control Workflow (automation) Engine Breach IDS AMD Scope Contain Remediate FPC Log Mgmt Forensics SIEM Threat IPS Detect Block Defend AV Email / Web APIs Policy Firewall Patch Mgmt Control Enforce Harden App Control Vuln Mgmt VPN IAM / NAC Discover Monitor Inventory Map Context Network / Devices Users / Applications Files / Data
A Platform Strategy Driven by the Attack Continuum Workflow (automation) Engine BEFORE DURING AFTER Breach IDS AMD Scope Contain Remediate FPC Log Mgmt Forensics SIEM Threat IPS Detect Block Defend AV Email / Web APIs Policy Firewall Patch Mgmt Control Enforce Harden App Control Vuln Mgmt VPN IAM/NAC Discover Monitor Inventory Map Context Network / Devices Users / Applications Files / Data
Protecting the Extended Network Network-based: Device-based: • Networks now extend to all endpoints, mobile and virtual • Extended networks’ new attack vectors must be protected by integrated technologies/intelligence • Integrated intelligence across all control points, network and endpoint, protects across the full attack continuum Visibility & Control Visibility & Control Reputation & Collective Security Intelligence
Network-Based Security Platform • Single-pass, high-performance, low-latency design • Configuration flexibility • NGFW • NGIPS with App Control • NGIPS • “Enterprise-ready” • Superior performance • Central management • Scalability • Advanced Malware Protection
FireSIGHT™ Sees “Everything” Complete network and endpoint visibility. Firesight delivers a level of environmental awareness and automation never seen before in the industry.
FireSIGHT Fuels Automation IT Insight Spot rogue hosts, anomalies, policy violations, and more Impact Assessment Threat correlation reduces actionable events by up to 99% User Identification Associate users with securityand compliance events Automated Tuning Adjust IPS policies automatically based on network change
Sourcefire Advanced Malware Protectionwith Retrospective Security • Comprehensive • Continuous Analysis • Integrated Response • Big Data Analytics • Control & Remediation Collective Security Intelligence
Analysis Beyond Event HorizonAddresses limitations of point-in-time detection
Network AMP • Continuous File Analytics • Reputation Determination Fingerprint Defense Center Event Stream • Network Advanced Malware Protection • Malware detection of files across the wire • Continuous analysis and detection including retrospective alerts • Security Intelligence for outbound / C&C Event Stream • Optional FireAMP Connectors (Client/Mobile/Virtual) • Provide: • Enhanced Intelligence • Cleanup Capabilities
Advanced Malware Detection Detection lattice considers content from each engine for real time file disposition Fuzzy Fingerprinting One-to-One Signature-based, 1st line of defense Algorithms identify polymorphic malware Advanced Analytics Machine Learning Analyzes 400+ attributes for unknown malware Combines data from lattice with global trends Cloud-based delivery results in better protection plus lower storage & compute burden on endpoint
File AnalysisFast and Safe File Forensics • VRT powered insight into Advanced Malware behavior • Original file, network capture and screen shots of malware execution • Understand root cause and remediation File File File Infected File Infected File Infected File Sourcefire VRT FireAMP & Clients Sandbox Analysis Advanced malware analysis without advanced investment 4E7E9331D22190FD41CACFE2FC843F 4E7E9331D22190FD41CACFE2FC843F 4E7E9331D22190FD41CACFE2FC843F
Device Flow CorrelationMonitor device communications to uncover potential malware • Network detection at the endpoint • Passive or active • Monitor key applicationnetwork traffic • All inbound/outboundconnections compared toVRT intelligence feed
Network File Trajectory • View the path a file took through the network it reach its destination • Works with files of any disposition – Not just malware • Uses SHA256 to uniquely identify a file • Available for file types where a SHA256 is calculated • PDF, EXE, JAR, SWF, Word, Excel, Powerpoint, etc • Requires the following • A File Policy to be enabled • Malware detection or blocking as file action (to generate the SHA256) File Trajectory Link
Network File Trajectory Systems Infected The time of entry
Network File Trajectory Example Introduction Note: Future icon unification with FireAMP will likely cause some icon changes on both platforms
Network File Trajectory Example Sent by mail (thunderbird)
Network File Trajectory Example “Click”
Network File Trajectory Example Systems Infected The time of entry
File TrajectoryQuickly understand the scope of malware problem Looks ACROSS the organization and answers: • What systems were infected? • Who was infected first (“patient 0”) and when did it happen? • What was the entry point? • When did it happen? • What else did it bring in?
File Trajectory Example Systems Infected The point of entry File introducing threat The time of entry
Device TrajectoryFast analysis of root causes integrated with remediation Looks DEEP into a device and helps answer: How did the threat get onto the system? How bad is my infection a given device? What communications were made? What don’t I already know about? What is the chain of events?
Device Trajectory Example Root Cause Other Threats of Interest What it’s Doing
Indicators of CompromiseBig Data spotlight on systems at high risk for an active breach • Automated compromise analysis & determination • Prioritized list of compromised devices • Quick links for quick root cause analysis and remediation
Outbreak ControlMultiple ways to stop threats and eliminate root causes • Simple and specific controls, or • Context rich signatures for broader control Application Blocking Lists Custom White Lists Simple Custom Detections Advanced Custom Signatures Device Flow Correlation / IP Blacklists Cloud & Client Based Fast & Specific Families Of Malware Group Policy Control Trusted Apps & Images Stop Connections to Bad Sites
End Point Device Trajectory Other Threats of Interest What it’s Doing? Root Cause
End Point File Trajectory Systems Infected The point of entry The time of entry File introducing threat
Maximize Resources, Mitigate Risks Leading Engineering Construction Firm • Challenge • Secure globally distributed access to corporate private cloud data center • Gain greater understand scope of alerts and detections from other systems • Limited staff and resources to respond to breaches • Solution • Deployed Sourcefire NGIPS with FireAMP on all MPOS private cloud connections • Leveraged alerts from Sourcefire and existing security offerings to identify compromised systems and deploy FireAMP • Used FireAMP to investigate root cause and remediate breached endpoints Allows them to focus limited resources on most important security risks and identify compromised systems while providing the tools to be able to investigate and remediate without the fear of reinfection. BusinessValue
Gain Visibility into Malware Leading U.S. Bank • Challenge • Gain visibility to targeted, phishing attacks and drive-by threats, to endpoints, mobile and virtual • Isolate and contain critical threats, and reduce time and costs associated analyzing the overwhelming number of daily-generated security alerts • Solution • Augment IPS with Sourcefire FireAMPcapabilities to discover/analyze threats in real time • Leverage FireAMP’s capabilities to gain visibility into network activity in real time • FireAMP’s File Trajectory capabilities have helped pinpoint threats during and after attacks “People feel good about the investment the company has made in Sourcefire technologies. With these technologies in place, we have reduced costs, gained greater visibility and are now able to understand what happened when an incident occurs. What took days to resolve now takes only a few hours to resolve.” VP, Enterprise Information Security Officer BusinessValue
Identify and Prioritize Malware Threats Leading Power Utility • Challenge • Gain greater visibility to consistent endpoint attacks • Identify details to infections and attacks • Reduce time spent investigating all suspicious activity, both the on the network and at the endpoint • Solution • Augment IPS with Sourcefire FireAMP capabilities • Add licenses via the FUEL program to add FireAMP products at no cost • Allowed threats to be isolated to device-based sources, with full visibility to the corresponding network activity Information Superiority is achieved through gaining complete visibility into the malware infection, the attack vector, the impact to the network, and being able to make intelligent surgical decisions for remediation. BusinessValue
Reduce Complexity and Increase Capability Collective Security Intelligence Centralized Management Appliances, Virtual Network Control Platform Device Control Platform Cloud Services Control Platform Appliances, Virtual Host, Mobile, Virtual Hosted
Strategic Imperatives Visibility Driven Threat Focused Platform Based Network Integrated,Broad Sensor Base,Context and Automation Continuous Advanced Threat Protection, Cloud-Based Security Intelligence Agile and Open Platforms,Built for Scale, Consistent Control, Management Network Endpoint Mobile Virtual Cloud