AGILE SECURITY™: Security for the Real World

Present Name

Presenter Title

Date

Prepared for:

2 2

Sourcefire is Trusted Security

Trusted for over 10 years

Security from network to endpoint

▸ IPS, NGFW, Endpoint | Physical, Virtual, Cloud

Protecting organizations in over 180 countries

Innovative: 41+ patents awarded or pending

World-class research

Open source projects

▸ Snort®, ClamAV®, Razorback®

IPS MQ Leader America’s Fastest-Growing Tech Companies 2011

3 3

IT Environments are Changing Rapidly

Virtualization

Consumerization

Mobilization

Application

s

Networks Devices

VoIP

4 4

Threats are Increasingly Complex

Client-side Attacks

Targeted | Organized

Relentless | Innovative

Advanced Persistent Threats

Malware Droppers

5 5

Threats Change — Traditional Security Products Do Not

Static | Inflexible

Closed/Blind | Labor Intensive

“Begin the

transformation to

context-aware and

adaptive security

infrastructure now as

you replace legacy

static security

infrastructure.”

- Neil MacDonald VP & Gartner Fellow

Source: Gartner, Inc., “The Future of Information Security is Context Aware

and Adaptive,” May 14, 2010

6 6

What the World Needs is…

…a continuous process to respond to continuous change.

Agile Security

7 7

You Can’t Protect What You Can’t See

Breadth: who, what, where, when

Depth: as much detail as you need

Real-time data

See everything in one place

Sourcefire provides information superiority

Agile Security OS Users

Device

s

Threat

s

Applications

Files Vulnerabilities

Network

8 8

Leverage Awareness For Knowledge

Gain insight into the reality of your IT and security posture

Get smarter by applying intelligence

Correlate, prioritize, decide

Collective intelligence elevates overall defense

Agile Security

9 9

Change is Constant

Automatically optimize defenses

Lock down your network to policy

Leverage open architecture

Configure custom fit security

Sourcefire invented customized security & self-tuning

Agile Security

10 10

Act Decisively & Efficiently

Block, alert, log, modify, quarantine, remediate

Respond via automation

Reduce the ‘noise’

Superior protection through intelligence & automation

Agile Security

11 11

How Sourcefire Delivers Agile Security

COLLECTIVE

SECURITY

INTELLIGENCE

MANAGEMENT

Management Center

PREVENTION & ENFORCEMENT

NGIPS | NGFW

IPSx | Virtual | SSL

Cutting-edge technologies for comprehensive protection

Advanced Malware Protection

MANAGEMENT: Sourcefire Defense Center®

13 13

Sourcefire Defense Center®

Customizable dashboard

Comprehensive reports & alerts

Centralized policy administration

Hierarchical management

High availability

Integrates with existing security

Centralized Command & Control

FireSIGHT™ Sees “Everything”

Categories

Samples

Sourcefire

NGIPS & NGFW

Typical

IPS

Typical

NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

Client Applications Firefox, IE6, Chrome ✔ ✗ ✗

Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Windows, Linux ✔ ✗ ✗

Routers & Switches Cisco, Nortel ✔ ✗ ✗

Wireless Access Points Linksys, Netgear ✔ ✗ ✗

Mobile Devices iPhone, Android ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Avaya, Polycom ✔ ✗ ✗

Virtual Machines VMware, Xen ✔ ✗ ✗

FireSIGHT™ Sees “Everything”

Categories

Samples

Sourcefire

NGIPS & NGFW

Typical

IPS

Typical

NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

Client Applications Firefox, IE6, Chrome ✔ ✗ ✗

Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Windows, Linux ✔ ✗ ✗

Routers & Switches Cisco, Nortel ✔ ✗ ✗

Wireless Access Points Linksys, Netgear ✔ ✗ ✗

Mobile Devices iPhone, Android ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Avaya, Polycom ✔ ✗ ✗

Virtual Machines VMware, Xen ✔ ✗ ✗

Complete network and endpoint visibility.

Firesight delivers a level of environmental

awareness and automation never seen before in

the industry.

FireSIGHT Fuels Automation

IT Insight Spot rogue hosts, anomalies,

policy violations, and more

Impact Assessment Threat correlation reduces

actionable events by up to 99%

Automated Tuning Adjust IPS policies automatically

based on network change

User Identification Associate users with security

and compliance events

Collective Security Intelligence

Private & Public Threat Feeds

Honeypots

Advanced Microsoft & Industry Disclosures

50,000 Malware Samples per Day Snort® & ClamAV™

Open Source Communities

Sourcefire AEGIS™ Program

Sourcefire FireCLOUD™

IPS Rules

Malware Protection

IP & URL Blacklists

Vulnerability Database Updates

Sourcefire

Vulnerability

Research

Team

Global Visibility Through Open Community

NETWORK: Sourcefire Network Security Solutions

Gartner Defines NGIPS & NGFW

Next-Gen IPS (NGIPS)

Standard first-gen IPS

Application awareness and full-stack visibility

Context awareness

Content awareness

Agile engine

Next-Gen Firewall (NGFW)

Standard first-gen firewall

Application awareness and full-stack visibility

Integrated network IPS

Extrafirewall intelligence

Source: “Defining Next-Generation Network Intrusion Prevention,” Gartner, October 7, 2011.

“Defining the Next-Generation Firewall,” Gartner, October 12, 2009

“Next-generation network IPS will be incorporated

within a next-generation firewall, but most next-

generation firewall products currently include first-

generation IPS capabilities.“

20 20

Our Approach to Next-Generation Network Security

Access Control Contextual Awareness Threat Prevention App Control

Typical IPS Typical Firewall

Typical NGFWs

Sourcefire NGFW | NGIPS with FireSIGHT Technology

Single platform, with single pass engine,

providing the benefits of a converged infrastructure…

…and the benefits of Agile Security

Sourcefire Next-Generation Security

Key Capabilities

NGIPS

NGIPS with

App Control

NGFW

Network Intelligence ✔ ✔ ✔

Impact Assessment ✔ ✔ ✔

Automated Tuning ✔ ✔ ✔

Threat Prevention ✔ ✔ ✔

Application Control ✔* ✔

Stateful Firewall ✔

Switching, Routing & NAT ✔

URL Filtering Subscription Subscription

* Control license required

+ + +

One Universal Platform, Three Flexible Configurations

22 22

Custom-designed,

specialized network

processor powers industry-

leading performance

Techno logy

FirePOWER™ Technology

Enterprise Performance and Scale

NSS Labs Test Results

▸ Highest throughput ever tested

▸ Lowest price per Mbps

▸ Lowest energy cost per Mbps

Source: NSS Labs, “Network IPS 2010 Comparative Test Results,” December 2010 and

“Sourcefire 3D8260 IPS Appliance Test Report,” April 2011.

Comparisons

Next-

Closest

IPS Throughput 27.6 Gbps 11.5 Gbps

Price / Mbps $19 $33

Annual Energy

Cost per Mbps

4¢ 6¢

Unprecedented Performance Delivered

“The 3D8260 offers the

highest accuracy and

throughput of any product

we’ve tested to date.”

-NSS Labs Test Report

Te c h n o l o g y

The Industry’s Best Threat Prevention

NSS Labs Test Results

▸ #1 in default protection

▸ #1 in tuned protection

▸ 100% evasion free

Source: NSS Labs, “Network IPS 2010 Comparative Test Results,” December 2010 and

“Sourcefire 3D8260 IPS Appliance Test Report,” April 2011.

“This is the second year

in a row that Sourcefire

blocked the most attacks

of all products.”

-NSS Labs Test Report

Period.

Default

Protection

Tuned

Protection

Sourcefire

Industry

Average

25 25

NSS Labs Testing

"For the past four years, Sourcefire

has consistently achieved excellent

results in security effectiveness

based on our real-world evaluations

of exploit evasions, threat block rate

and protection capabilities.”

Vikram Phatak, CTO NSS Labs, Inc.

Ratings*

99% detection & protection

34Gbps inspected throughput

60M concurrent connections

$15 TCO / protected Mbps

Leadership*

#1 in detection

Class leader in performance

Class leader for TCO

100% evasion free

“Networks looking to update their

defenses with a Next-Generation

Firewall would do well to consider

Sourcefire's entry into the NGFW

market as a solid contender.”

Bob Walder NSS Labs, Inc.

Ratings*

99% protection

10Gbps inspected throughput

15M concurrent connections

$33 TCO / protected Mbps

Leadership*

#1 in detection

#1 in performance

#1 in vulnerability coverage

100% evasion free

NSS Labs, “Network IPS 2010 Comparative Test Results,” December 2010 NSS Labs, “Network IPS Product Analysis Sourcefire 3D8260 v4.10,” April 2012 NSS Labs, “Next-Generation Firewall Product Analysis – Sourcefire” October 2012

*

26 26

FirePOWER NGIPS: NSS Labs Test

"For the past four years, Sourcefire

has consistently achieved excellent

results in security effectiveness

based on our real-world evaluations

of exploit evasions, threat block rate

and protection capabilities.”

Vikram Phatak, CTO NSS Labs, Inc.

Leadership*

#1 in detection

#1 in performance

#1 in vulnerability coverage

100% evasion free

Ratings (NGIPS – 8260)**

99% detection & protection

34Gbps inspected throughput

60M concurrent connections

$15 TCO / protected Mbps

** NSS Labs, “Network IPS Product Analysis

Sourcefire 3D8260 v4.10,” April 2012

* NSS Labs, “Network IPS 2010 Comparative Test

Results,” December 2010

27 27

FirePOWER NGFW: NSS Labs Test

“Networks looking to update their

defenses with a Next-Generation

Firewall would do well to consider

Sourcefire's entry into the NGFW

market as a solid contender.”

Bob Walder, NSS Labs, Inc.

NGFW Leadership*

#1 in detection

Class leader in performance

Class leader for TCO

100% evasion free

Ratings (8250 – NGFW)*

99% protection

10 Gbps real-world throughput

15M concurrent connections

$33 TCO / protected Mbps

* NSS Labs, “Next-Generation Firewall Product

Analysis – Sourcefire” October 2012

28 28

Reduce Risk Through Granular Application Control

Control access to Web-enabled apps and devices

▸ “Employees may view Facebook, but only Marketing may post to it”

▸ “No one may use peer-to-peer file sharing apps”

Over 1,000

apps, devices,

and more!

29 29

Reduce Client-Side Threats and Improve Productivity with URL Filtering

Block non-business-related sites by category

Configure policies based on users and groups

Over 280 million URLs

Over 80 URL categories

30 30

What Makes Sourcefire Different?

Total Network Visibility

▸ Passive, real-time visibility of apps, users, content, hosts, attacks, and more

Control Without Compromise

▸ Achieve granular network and application access control without compromising threat prevention

Intelligent Security Automation

▸ Leverage rich contextual awareness to automate key security functions, including impact assessment and policy tuning

Unparalleled Performance & Scalability

▸ Purpose-built appliances with FirePOWER™ technology

The Only

NGFW with

NGIPS!

Advanced Malware Protection: FireAMP

32 32

Threats Continue to Evolve

“Nearly 60% of respondents were at least ‘fairly certain’ their company

had been a target.” – Network World (11/2011)

The likelihood that you will be attacked by

advanced malware has never been greater.

Of attacks are seen on

only one computer

75%

33 33

Introducing FireAMP

The only way to get the

visibility & control needed to

fight threats missed by other

security layers.

Analyze & Block Advanced Malware Utilizing Big Data Analytics

34 34

Our Approach to Advanced Malware Protection

Lightweight Connector

• Watches for move/copy/execute

• Traps fingerprint & attributes

Web-based Manager

• Transaction Processing

• Analytics

• Intelligence

Mobile Connector

• Watches for apps

• Traps fingerprint & attributes

35 35

Visibility & Control with FireAMP

Reporting

Trajectory

Analysis

Control

36 36

Spotlight: Reporting

Customize by Group – Schedule or On Demand

Applications Introducing Malware

Threats Resident on First Scan

Possible APT

37 37

Spotlight: File Trajectory

Malware “Flight Recorder” shows point of entry

and extent of outbreak

Discover the

malware gateway to

reduce the risk of re-

infection

Identify systems that

have

downloaded/executed

a specific malware file

38 38

Original file, network capture and screen shots of malware execution

Understand root cause and remediation

Spotlight: File Analysis

FireAMP &

Clients

Sourcefire

VRT

Sandbox

Analysis

Sourcefire VRT Powered Insight into Advanced

Malware Behavior

Infect

ed

File

File 4E7E9331D2

2190FD41CA

CFE2FC843F

Infect

ed

File

File 4E7E9331D2

2190FD41CA

CFE2FC843F

Infect

ed

File

File 4E7E9331D2

2190FD41CA

CFE2FC843F

39 39

Spotlight: Outbreak Control

Tool How it Works When to Use

Simple Custom

Detections

Cloud-based, uses SHA or original file Fastest way to block specific malware.

Advanced Custom

Signatures

Client-based, uses advanced

techniques (e.g. offsets, wildcards,

regular expressions)

Useful for families of malware or to close gap

when waiting on sig. from security vendor

Application

Blocking Lists

Cloud-based, uses SHA or original file Blocks execution of applications based on

group policy (e.g. no Skype in HR) – good for

Zero Day

Custom Whitelists Cloud-based, uses SHA or original file Prevent false positives on trusted apps and

standard images

Create custom protection policies to stop

outbreaks without updates

Cloud Recall quarantines malware based on past exposure

40 40

FireAMP is Enterprise Ready

Manageability

▸ Complete deployment, policy configuration, integration with AD/LDAP

Performance

▸ Lightweight connector, heavy lifting in the cloud

Privacy

▸ Metadata based analysis

41 41

What Makes Sourcefire Different?

Key

Questions

Traditional

Endpoint

Forensic

Analysis

NW-based

AMP

Do we have an

advanced

malware

problem?

Reports No Not really Yes

Which endpoint

was infected

first?

How extensive

is the outbreak?

File Trajectory No Sort of… No

How does the

malware

behave? File Analysis No Yes Yes

What is needed

to recover? File Analysis No Not really Sort of…

How can we

stop the

outbreak? Outbreak Control No Not really No

V

I

S

I

B

I

L

I

T

Y

C

O

N

T

R

O

L

Advanced Malware Protection: FireAMP Mobile

43 43

Mobile Malware Trends

No question. Mobile

devices introduce risk.

Malware is on the rise. Source: Juniper

BYOD brings a

unique challenge.

44 44

The BYOD Divide

40% IT decision makers who say that workers access corporate information from employee-owned devices.

80% Employees in same

survey who say they access corporate information from their

own devices.

Source: IDC

How can you protect the enterprise if you don’t know…

1. what to protect… or…

2. the nature of the threat

45 45

FireAMP Mobile

Advanced Malware Protection Using Big Data Analytics

Visibility: detect & analyze

▸ Android (2.1+) threats

▸ Cloud-based, real time

Control: contain & remediate

▸ Blacklists

Enterprise Ready

Thank You.