cisco yeni nesil güvenlik - cisco connect tr '14
Post on 13-Jul-2015
178 Views
Preview:
TRANSCRIPT
Next Generation Security
Mahmoud Rabi
Consulting Systems Engineer - Security
Cisco and/or its affiliates. All rights reserved. Cisco Public
All were smart. All had security.
All were seriously compromised.
Today’s Real World: Threats are evolving and evading traditional defense
Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Real World: Threats are evolving and evading traditional defense
So what’s changed?
Hacking has!
Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrialization of Hacking
Attackers and defenders drive each other to innovate…
…resulting in distinct threat cycles
VIRUSES
MACRO VIRUSES
APTs MALWARE
WORMS HACKERS
1985 1995 2000 2005 2015
SPYWARE / ROOTKITS
Goal: Glory, mode: Noise Goal Profit, mode: Stealth
Cisco and/or its affiliates. All rights reserved. Cisco Public
What would you do if you knew you would be compromised?!
BEFORE Discover Enforce Harden
DURING Detect Block Defend
AFTER Scope
Contain Remediate
Network Endpoint Mobile Virtual Email & Web
Continuous Point-in-time
Attack Continuum
Cloud
7 Sourcefire NGIPS & AMP Presentation
You should also know the Estate of Your Network
Network Servers
Operating Systems
Routers and Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Client Applications
Files
Users
Web Applications
Application Protocols
Services
Malware
Command and Control
Servers
Vulnerabilities
NetFlow
Network Behavior
You can not protect what you can not see
Processes
Cisco Next Generation Security
Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Defines Next-Generation IPS
9
NGIPS Definition
• Standard First-Gen IPS
• Context Awareness
• Application Awareness and full-stack visibility
• Content Awareness
• Adaptive Engine
Download at Sourcefire.com
*Source: “Defining Next-Generation Network Intrusion Prevention” Gartner, October 7,
2011
Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Awareness in Intrusion Events
10 10
Event: Attempted Privilege Gain
Target: 96.16.242.135
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browser, Twitter
Location: Whitehouse, US
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browswer, Twitter
Location: Whitehouse, US
User ID: bobama
Full Name: Barack Obama
Department: Executive Office
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
FirePOWER Platform
http:// http:// WWW WWW
WWW WWW
FireSIGHT Management
Center
FireSIGHT Management Center
• Context Awareness
• Operating System Identification
• Fingerprint Applications (Web, Protocol & Client Versions)
• Service Enumeration (HTTP, SMPT, RDP…etc)
• Users Awareness
• 24x7 Monitoring (Passive & Inline)
• Identify Assets Potential Vulnerabilities (Weakness)
• Leveraging Visibility/vulnerabilities to “Adapt”
• Access Control Rules Enforcement
• Alerting, Correlation & Packets Capture
FirePOWER Platform/Services
• Inspect, Detect, Drop, Allow…etc
• IPS, Application Control, Malware Inspection & URL Rating
• Inline, Passive & Hybrid
Context Awareness in Intrusion Events
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Brings Unprecedented Network Visibility
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Brings Unprecedented Network Visibility
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT – Unique Visibility
Typical NGFW
Cisco FireSIGHT System
Typical IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Host Profile
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have,
when?
Converting Data into Information
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Retrospective Security
Shrink Time between Detection and Cure
PDF Mail
Admin
Request
Admin
Request
Multi-vector Correlation
Early Warning for Advanced Threats
Host A
Host B
Host C
2 IoCs
5 IoCs
3 IoCs
Adapt Policy to Risks
WWW WWW WWW
Dynamic Security Control
http:// http:// WWW WEB
Automated, Integrated, Adaptive Threat Defense Superior Protection for Entire Attack Continuum
Context and Threat Correlation
Priority 1
Priority 2
Priority 3
Impact Assessment
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
Impact Flag Administrator Action
Why
1 Act immediately, vulnerable
Event corresponds to vulnerability mapped to host
2 Investigate, potentially vulnerable
Relevant port open or protocol in use, but no vuln mapped
3 Good to know, currently not vulnerable
Relevant port not open or protocol not in use
4 Good to know, unknown target
Monitored network, but unknown host
0 Good to know, unknown network
Unmonitored network
Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
Exploit Kits
Web App Attacks
CnC Connections
Admin Privilege Escalations
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections
Office/PDF/Java Compromises
Malware Executions
Dropper Infections
Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Leadership
Sourcefire has
been a leader in
the Gartner Magic
Quadrant for IPS
since 2006.
As of December 2013 Source: Gartner (December 2013)
Radware
StoneSoft (McAfee)
IBM
Cisco HP
McAfee
Sourcefire
(Cisco)
Huawei Enterasys Networks
(Extreme Networks)
NSFOCUS
Information Technology
challengers
abili
ty t
o
execute
leaders
visionaries niche players vision
Cisco and/or its affiliates. All rights reserved. Cisco Public
2012 NSS Labs SVM for IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
2013 NSS Labs SVM for IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services Available Now!!
Industry’s First Threat-Focused NGFW
#1 Cisco Security announcement of the year!
• Integrating defense layers helps organizations get the best visibility
• Enable dynamic controls to automatically adapt
• Protect against advanced threats across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs – Next-Generation Firewall Security Value Map
Source: NSS Labs 2014
The NGFW Security Value
Map shows the placement of
Cisco ASA with FirePOWER
Services and the
FirePOWER 8350 as
compared to other vendors.
All three products achieved
99.2 percent in security
effectiveness and now all
can be confident that they
will receive the best
protections possible
regardless of deployment.
Advanced Malware Protection
25 Sourcefire NGIPS & AMP Presentation
Today’s Advanced Malware Is Not Just A Single Entity
It is a criminal enterprise
that hides in plain site
Missed by Point-in-
time Detection
26 Sourcefire NGIPS & AMP Presentation
Continuous Protection when advanced malware evades point-in-time detection
Tradition Defense
AV & Sandboxing
Initial Disposition = Clean
Point-in-time
Detection
Initial Disposition = Clean
Cisco AMP
Actual Disposition = Bad = Too Late!!
Not 100%
Analysis Stops
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Blocked
Retrospective Detection,
Analysis Continues
27 Sourcefire NGIPS & AMP Presentation
Cisco Collective Security Intelligence
Point-in-Time Protection Continuous Protection
File Reputation & Behavioral Detection
Unique to Cisco AMP
Retrospective Security
Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Reputation Filtering Behavioral Detection
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
28 Sourcefire NGIPS & AMP Presentation
Cisco AMP Defends With Retrospective Security
Trajectory Behavioral
Indications
of
Compromise
Breach
Hunting
Retrospection Attack Chain
Weaving
29 Sourcefire NGIPS & AMP Presentation
Trajectory Behavioral
Indications
of
Compromise
Breach
Hunting
Retrospection Attack Chain
Weaving
Retrospective Security Is Built On…
Performs analysis
the first time a file is
seen 1
Persistently
analyzes the file
over time to see if
the disposition is
changed
2
Giving unmatched
visibility into the path,
actions or
communications that
are associated with a
particular piece of
software
3
30 Sourcefire NGIPS & AMP Presentation
Trajectory Behavioral
Indications
of
Compromise
Breach
Hunting
Retrospection Attack Chain
Weaving
Retrospective Security Is Built On…
Behavioral Indications of Compromise uses Retrospection to monitor systems for suspicious and unexplained activity
An unknown file
is admitted into
the network 1
The unknown
file
copies itself to
multiple
machines
2 Duplicates
content from the
hard drive 3
Sends duplicate
content to an
unknown IP
address
4
Leveraging the power of Attack Chain Weaving, AMP is able to recognize patterns and activities of a
given file, and identify an action to look for across your environment rather than a file fingerprint or signature
31 Sourcefire NGIPS & AMP Presentation
Retrospective Security Is Built On…
Trajectory Behavioral
Indications
of
Compromise
Breach
Hunting
Retrospection Attack Chain
Weaving
File trajectory automatically
records time, method, point of
entry, systems impacted and
prevalence of the file
Unknown file is downloaded
to device 1
Fingerprint is recorded and
sent to cloud for analysis 2 The unknown file travels
across the network to
different devices
3
Sandbox analytics
determines the file is
malicious and notifies all
devices
4
File trajectory provides
greater visibility into the
extent of an infection 5
Collective Security
Intelligence Cloud
Computer
Virtual Machine
Mobile
Mobile
Virtual Machine Computer
Network
Collective Security
Intelligence Cloud
Mobile
Mobile
32 Sourcefire NGIPS & AMP Presentation
Trajectory Behavioral
Indications
of
Compromise
Breach
Hunting
Retrospection Attack Chain
Weaving
Computer
Unknown file is downloaded to a
particular device 1
The file moves around the
device, executing different
operations 2
Meanwhile, device trajectory
records the root cause, lineage
and actions of the files on a
machine
3
That data pinpoint the exact
cause and extent of the
compromise on the device 4
Retrospective Security Is Built On…
Drive #1 Drive #2 Drive #3
33 Sourcefire NGIPS & AMP Presentation
Comprehensive Environment Protection with AMP Everywhere
AMP Protection
Method
Ideal for
Content
License with ESA or WSA
New or existing Cisco Email or Web Security customers
Network
Stand Alone Solution
-or-
Enable AMP on FirePOWER
Appliance
NGIPS/NGFW customers
Endpoint
Install on endpoints
Windows, Mac, Android, VMs
Cisco Advanced Malware Protection
Threat Vector Email and Web Networks Devices
34 Sourcefire NGIPS & AMP Presentation
How Cisco AMP Works: Network File Trajectory Use Case
35 Sourcefire NGIPS & AMP Presentation
36 Sourcefire NGIPS & AMP Presentation
An unknown file is present
on IP: 10.4.10.183, having
been downloaded from
Firefox
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
At 10:57, the unknown file is
from IP 10.4.10.183 to IP:
10.5.11.8
38 Sourcefire NGIPS & AMP Presentation
Seven hours later the file is
then transferred to a third
device (10.3.4.51) using an
SMB application
39 Sourcefire NGIPS & AMP Presentation
The file is copied yet again
onto a fourth device
(10.5.60.66) through the
same SMB application a half
hour later
40 Sourcefire NGIPS & AMP Presentation
The Cisco Collective
Security Intelligence Cloud
has learned this file is
malicious and a
retrospective event is raised
for all four devices
immediately.
41 Sourcefire NGIPS & AMP Presentation
At the same time, a device
with the FireAMP endpoint
connector reacts to the
retrospective event and
immediately stops and
quarantines the newly
detected malware
42 Sourcefire NGIPS & AMP Presentation
8 hours after the first attack,
the Malware tries to re-enter
the system through the
original point of entry but is
recognized and blocked.
© 2014 Cisco and/or its affiliates. All rights reserved. 43
Visual Point of Reference: What is AMP exactly? What does it look like?
44
It also connected to a publically available
geolocation script to discover the geo of the
infected endpoint as part of its enrollment to the
CnC
45
Searching for connections to j.maxmind.com, an analyst
can also determine endpoints making this suspicious
traffic to discover new infected enpoints
Cisco and/or its affiliates. All rights reserved. Cisco Public
Se
cu
rity
Eff
ec
tive
ne
ss
TCO per Protected-Mbps
The Results Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value
Cisco Advanced
Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per
Protected-Mbps
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Security Effectiveness
Overall Product Ratings
Cisco-Sourcefire AMP Results – For Detection Capability Only
FirePOWER Platforms
Cisco and/or its affiliates. All rights reserved. Cisco Public
Sourcefire AMP Detection Systems IP
S P
erf
orm
ance
and
Sca
labili
ty
Data Center Campus Branch Office SOHO Internet Edge
FirePOWER 7100 Series
500 Mbps – 1 Gbps
FirePOWER 7120/7125/8120
1 Gbps - 2 Gbps
FirePOWER 8100/8200
2 Gbps - 10 Gbps
FirePOWER 8200 Series
10 Gbps – 40 Gbps
FirePOWER 7000 Series
50 Mbps – 250 Mbps
From 50Mbps to 60Gbps
Modularity in 8000 Series
Fixed Connectivity in 7000 Series
Mixed SFPs in 7100 Series
Configuration Fail-Open & Fail-Close across all
Scalable 8000 Series
Runs NGIPS, AMP and App Control in the same chassis
49 Sourcefire NGIPS & AMP Presentation
Choose external SSL
for high-bandwidth and
ability to inspect with
other solutions, e.g. DLP
SSL Decryption Server
Client
Encrypted
Encrypted
FirePOWER
Decrypted
SSL Appliance
SSL Appliance vs Integrated SSL
Use new built-in SSL inspection for
simplicity and cost-effectiveness
V5.4 onwards only
Fire and ISE
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
EPS REST API
Threat Detection • IDS Sig • Malware • Traffic • Application • And Many More..
Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense
Quarantine Action • VLAN Assignment • dACLs • SGT • QoS TAG
ISE
top related