Cisco and/or its affiliates. All rights reserved. Cisco Public
What would you do if you knew you would be compromised?!
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
Network Endpoint Mobile Virtual Email & Web
Continuous Point-in-time
Attack Continuum
Cloud
7 Pillars of Cisco Security Offerings
Security Products
Threat Research
Trainings and Certification
Security Services
Security Solutions
3rd Party Partnerships
CVDs
Latest Security Acquisitions
Ironport – Email And Web Security
Lancope * – Behavioral Anomaly Detection
(*): Not a full acquisition
Cognitive – Big Data Analytics
Meraki – Cloud Managed UTM
Sourcefire – Next Generation IPS and APT
Threatgrid – Advance Malware Solutions
Neophasis – Security Consultancy
+5B USD
6 Sourcefire NGIPS & AMP Presentation
You should also know the Estate of Your Network
Network Servers
Operating Systems
Routers and Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Client Applications
Files
Users
Web Applications
Application Protocols
Services
Malware Command
and Control Servers
Vulnerabilities NetFlow
Network Behavior
You can not protect what you can not see
Processes
Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Defines Next-Generation IPS
8
NGIPS Definition
• Standard First-Gen IPS • Context Awareness • Application Awareness
and full-stack visibility • Content Awareness • Adaptive Engine
Download at Sourcefire.com
*Source: “Defining Next-Generation Network Intrusion Prevention” Gartner, October 7, 2011
Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Awareness in Intrusion Events
9 9
Event: Attempted Privilege Gain Target: 96.16.242.135
Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: Blackberry Apps: Mail, Browser, Twitter Location: Whitehouse, US
Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: Blackberry Apps: Mail, Browswer, Twitter Location: Whitehouse, US User ID: bobama Full Name: Barack Obama Department: Executive Office
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
FirePOWER Platform
http:// http:// WWW WWW
WWW WWW
FireSIGHT Management Center
FireSIGHT Management Center • Context Awareness
• Operating System Identification • Fingerprint Applications (Web, Protocol & Client Versions) • Service Enumeration (HTTP, SMPT, RDP…etc) • Users Awareness • 24x7 Monitoring (Passive & Inline)
• Identify Assets Potential Vulnerabilities (Weakness) • Leveraging Visibility/vulnerabilities to “Adapt” • Access Control Rules Enforcement • Alerting, Correlation & Packets Capture FirePOWER Platform/Services • Inspect, Detect, Drop, Allow…etc • IPS, Application Control, Malware Inspection & URL
Rating • Inline, Passive & Hybrid
Context Awareness in Intrusion Events
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Brings Unprecedented Network Visibility
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT – Unique Visibility
Typical NGFW
Cisco FireSIGHT System
Typical IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Host Profile
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have,
when?
§ Converting Data into Information
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Retrospective Security
Shrink Time between Detection and Cure
PDF Mail
Admin Request
Admin Request
Multi-vector Correlation
Early Warning for Advanced Threats
Host A
Host B
Host C
2 IoCs
5 IoCs
3 IoCs
Adapt Policy to Risks
WWW WWW WWW
Dynamic Security Control
http:// http:// WWW WEB
Automated, Integrated, Adaptive Threat Defense Superior Protection for Entire Attack Continuum
Context and Threat Correlation
Priority 1
Priority 2
Priority 3
Impact Assessment
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
Impact Flag Administrator Action Why
1 Act immediately, vulnerable
Event corresponds to vulnerability mapped to host
2 Investigate, potentially vulnerable
Relevant port open or protocol in use, but no vuln mapped
3 Good to know, currently not vulnerable
Relevant port not open or protocol not in use
4 Good to know, unknown target
Monitored network, but unknown host
0 Good to know, unknown network Unmonitored network
Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors Exploit Kits
Web App Attacks CnC Connections
Admin Privilege Escalations
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections Office/PDF/Java Compromises
Malware Executions Dropper Infections
Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Leadership
Sourcefire has been a leader in
the Gartner Magic Quadrant for IPS
since 2006.
As of December 2013 Source: Gartner (December 2013)
Radware
StoneSoft (McAfee)
IBM Cisco HP
McAfee
Sourcefire (Cisco)
Huawei Enterasys Networks (Extreme Networks)
NSFOCUS Information Technology
challengers
abili
ty to
ex
ecut
e
leaders
visionaries niche players vision
Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services Available Now!!
Industry’s First Threat-Focused NGFW
#1 Cisco Security announcement of the year!
• Integrating defense layers helps organizations get the best visibility
• Enable dynamic controls to automatically adapt
• Protect against advanced threats across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs – Next-Generation Firewall Security Value Map
Source: NSS Labs 2014
The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment.
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Plan B: Retrospection
• Track system behaviors without regard to disposition
• Extend analysis beyond the event horizon
• Contain & correct damage, expel embedded intruders
• Reveals malicious activity and reduces response time
• Mode: Incident Response
• Plan A: Prevention
• Speed: Real-time, dynamic decisions trained on data
• Static and Dynamic Analysis for Threat Intelligence
• High accuracy, low false positives / negatives
• Bolster the walls, reduce attack surface
• Mode: Security control
Do Security Different!
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Plan A: The Prevention Framework
1-to-1 Signatures
Fuzzy Fingerprinting
Machine Learning
IOCs
Dynamic Analysis
Advanced Analytics
Device Flow Correlation
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Analytics - Prevalence
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Analytics - Prevalence
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Plan A: The Prevention Framework
1-to-1 Signatures
Fuzzy Fingerprinting
Machine Learning
IOCs
Dynamic Analysis
Advanced Analytics
Device Flow Correlation
All Detection < 100%
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Plan B: The Retrospection Framework
Retrospective Security
Continuous Protection
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Plan B: Retrospection Framework
Continuous Analysis
time
Initial Disposition = CLEAN
file • When you can’t detect 100%, Retrospective Visibility is critical
x Retrospective Alert
sent later when Disposition = BAD
Analysis Continues
time
1-to-1, Fuzzy Fingerprints, Machine Learning, Sandboxing, etc;
Disposition = CLEAN
file • Sleep techniques • Unknown protocols • Encryption • Performance
x Actually…
Disposition = BAD … too late!
Typical Analysis
Analysis Stops After Initial Disposition
31 Sourcefire NGIPS & AMP Presentation
Comprehensive Environment Protection with AMP Everywhere
AMP Protection
Method
Ideal for
Content
License with ESA or WSA
New or existing Cisco Email or Web Security customers
Network
Stand Alone Solution -or-
Enable AMP on FirePOWER Appliance
NGIPS/NGFW customers
Endpoint
Install on endpoints
Windows, Mac, Android, VMs
Cisco Advanced Malware Protection
Threat Vector Email and Web Networks Devices
34 Sourcefire NGIPS & AMP Presentation
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
36 Sourcefire NGIPS & AMP Presentation
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
37 Sourcefire NGIPS & AMP Presentation
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
38 Sourcefire NGIPS & AMP Presentation
The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
39 Sourcefire NGIPS & AMP Presentation
At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
40 Sourcefire NGIPS & AMP Presentation
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
© 2014 Cisco and/or its affiliates. All rights reserved. 41
Visual Point of Reference: What is AMP exactly? What does it look like?
Cisco and/or its affiliates. All rights reserved. Cisco Public
Secu
rity
Effe
ctiv
enes
s
TCO per Protected-Mbps
The Results Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value
Cisco Advanced Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per Protected-Mbps
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Security Effectiveness
Overall Product Ratings
Cisco-Sourcefire AMP Results – For Detection Capability Only
Cisco and/or its affiliates. All rights reserved. Cisco Public
Sourcefire AMP Detection Systems IP
S P
erfo
rman
ce a
nd S
cala
bilit
y
Data Center Campus Branch Office SOHO Internet Edge
FirePOWER 7100 Series 500 Mbps – 1 Gbps
FirePOWER 7120/7125/8120 1 Gbps - 2 Gbps
FirePOWER 8100/8200 2 Gbps - 10 Gbps
FirePOWER 8200 Series 10 Gbps – 40 Gbps
FirePOWER 7000 Series 50 Mbps – 250 Mbps
From 50Mbps to 60Gbps Modularity in 8000 Series Fixed Connectivity in 7000 Series Mixed SFPs in 7100 Series Configuration Fail-Open & Fail-Close across all Scalable 8000 Series Runs NGIPS, AMP and App Control in the same chassis
45 Sourcefire NGIPS & AMP Presentation
Choose external SSL for high-bandwidth and
ability to inspect with other solutions, e.g. DLP
SSL Decryption Server
Client
Encrypted
Encrypted
FirePOWER
Decrypted
SSL Appliance
SSL Appliance vs Integrated SSL
Use new built-in SSL inspection for simplicity and cost-effectiveness
V5.4 onwards only
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
EPS REST API
Threat Detection • IDS Sig • Malware • Traffic • Application • And Many More..
Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense
Quarantine Action • VLAN Assignment • dACLs • SGT • QoS TAG
ISE