cisco yeni nesil güvenlik - cisco connect tr '14

Next Generation Security

Mahmoud Rabi

Consulting Systems Engineer - Security

Cisco and/or its affiliates. All rights reserved. Cisco Public

All were smart. All had security.

All were seriously compromised.

Today’s Real World: Threats are evolving and evading traditional defense


Today’s Real World: Threats are evolving and evading traditional defense

So what’s changed?

Hacking has!


Industrialization of Hacking

Attackers and defenders drive each other to innovate…

…resulting in distinct threat cycles

VIRUSES

MACRO VIRUSES

APTs MALWARE

WORMS HACKERS

1985 1995 2000 2005 2015

SPYWARE / ROOTKITS

Goal: Glory, mode: Noise Goal Profit, mode: Stealth


What would you do if you knew you would be compromised?!

BEFORE Discover Enforce Harden

DURING Detect Block Defend

AFTER Scope

Contain Remediate

Network Endpoint Mobile Virtual Email & Web

Continuous Point-in-time

Attack Continuum

Cloud

7 Sourcefire NGIPS & AMP Presentation

You should also know the Estate of Your Network

Network Servers

Operating Systems

Routers and Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines

Client Applications

Files

Users

Web Applications

Application Protocols

Services

Malware

Command and Control

Servers

Vulnerabilities

NetFlow

Network Behavior

You can not protect what you can not see

Processes

Cisco Next Generation Security


Gartner Defines Next-Generation IPS

9

NGIPS Definition

• Standard First-Gen IPS

• Context Awareness

• Application Awareness and full-stack visibility

• Content Awareness

• Adaptive Engine

Download at Sourcefire.com

*Source: “Defining Next-Generation Network Intrusion Prevention” Gartner, October 7,

2011


Context Awareness in Intrusion Events

10 10

Event: Attempted Privilege Gain

Target: 96.16.242.135


Target: 96.16.242.135 (vulnerable)

Host OS: Blackberry

Apps: Mail, Browser, Twitter

Location: Whitehouse, US


Target: 96.16.242.135 (vulnerable)

Host OS: Blackberry

Apps: Mail, Browswer, Twitter

Location: Whitehouse, US

User ID: bobama

Full Name: Barack Obama

Department: Executive Office

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

FirePOWER Platform

http:// http:// WWW WWW

WWW WWW

FireSIGHT Management

Center

FireSIGHT Management Center

• Context Awareness

• Operating System Identification

• Fingerprint Applications (Web, Protocol & Client Versions)

• Service Enumeration (HTTP, SMPT, RDP…etc)

• Users Awareness

• 24x7 Monitoring (Passive & Inline)

• Identify Assets Potential Vulnerabilities (Weakness)

• Leveraging Visibility/vulnerabilities to “Adapt”

• Access Control Rules Enforcement

• Alerting, Correlation & Packets Capture

FirePOWER Platform/Services

• Inspect, Detect, Drop, Allow…etc

• IPS, Application Control, Malware Inspection & URL Rating

• Inline, Passive & Hybrid

Context Awareness in Intrusion Events


FireSIGHT Brings Unprecedented Network Visibility


FireSIGHT – Unique Visibility

Typical NGFW

Cisco FireSIGHT System

Typical IPS


Building Host Profile

OS & version Identified

Server applications and version

Client Applications

Who is at the host

Client Version

Application

What other systems / IPs did user have,

when?

Converting Data into Information

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Retrospective Security

Shrink Time between Detection and Cure

PDF Mail

Admin

Request

PDF

Mail

Admin

Request

Multi-vector Correlation

Early Warning for Advanced Threats

Host A

Host B

Host C

2 IoCs

5 IoCs

3 IoCs

Adapt Policy to Risks

WWW WWW WWW

Dynamic Security Control

http:// http:// WWW WEB

Automated, Integrated, Adaptive Threat Defense Superior Protection for Entire Attack Continuum

Context and Threat Correlation

Priority 1

Priority 2

Priority 3

Impact Assessment


FireSIGHT Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

Impact Flag Administrator Action

Why

1 Act immediately, vulnerable

Event corresponds to vulnerability mapped to host

2 Investigate, potentially vulnerable

Relevant port open or protocol in use, but no vuln mapped

3 Good to know, currently not vulnerable

Relevant port not open or protocol not in use

4 Good to know, unknown target

Monitored network, but unknown host

0 Good to know, unknown network

Unmonitored network


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

Exploit Kits

Web App Attacks

CnC Connections

Admin Privilege Escalations

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections

Office/PDF/Java Compromises

Malware Executions

Dropper Infections


Gartner Leadership

Sourcefire has

been a leader in

the Gartner Magic

Quadrant for IPS

since 2006.

As of December 2013 Source: Gartner (December 2013)

Radware

StoneSoft (McAfee)

IBM

Cisco HP

McAfee

Sourcefire

(Cisco)

Huawei Enterasys Networks

(Extreme Networks)

NSFOCUS

Information Technology

challengers

abili

ty t

o

execute

leaders

visionaries niche players vision


2012 NSS Labs SVM for IPS


2013 NSS Labs SVM for IPS


ASA with FirePOWER Services Available Now!!

Industry’s First Threat-Focused NGFW

#1 Cisco Security announcement of the year!

• Integrating defense layers helps organizations get the best visibility

• Enable dynamic controls to automatically adapt

• Protect against advanced threats across the entire attack continuum

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services

Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

NSS Labs – Next-Generation Firewall Security Value Map

Source: NSS Labs 2014

The NGFW Security Value

Map shows the placement of

Cisco ASA with FirePOWER

Services and the

FirePOWER 8350 as

compared to other vendors.

All three products achieved

99.2 percent in security

effectiveness and now all

can be confident that they

will receive the best

protections possible

regardless of deployment.

Advanced Malware Protection


Today’s Advanced Malware Is Not Just A Single Entity

It is a criminal enterprise

that hides in plain site

Missed by Point-in-

time Detection


Continuous Protection when advanced malware evades point-in-time detection

Tradition Defense

AV & Sandboxing

Initial Disposition = Clean

Point-in-time

Detection

Initial Disposition = Clean

Cisco AMP

Actual Disposition = Bad = Too Late!!

Not 100%

Analysis Stops

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Blocked

Retrospective Detection,

Analysis Continues


Cisco Collective Security Intelligence

Point-in-Time Protection Continuous Protection

File Reputation & Behavioral Detection

Unique to Cisco AMP

Retrospective Security

Cisco AMP Defends With Reputation Filtering And Behavioral Detection

Reputation Filtering Behavioral Detection

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics One-to-One

Signature

Indications

of Compromise

Device Flow

Correlation


Cisco AMP Defends With Retrospective Security

Trajectory Behavioral

Indications

of

Compromise

Breach

Hunting

Retrospection Attack Chain

Weaving



Indications

of

Compromise

Breach

Hunting


Weaving

Retrospective Security Is Built On…

Performs analysis

the first time a file is

seen 1

Persistently

analyzes the file

over time to see if

the disposition is

changed

2

Giving unmatched

visibility into the path,

actions or

communications that

are associated with a

particular piece of

software

3



Indications

of

Compromise

Breach

Hunting


Weaving


Behavioral Indications of Compromise uses Retrospection to monitor systems for suspicious and unexplained activity

An unknown file

is admitted into

the network 1

The unknown

file

copies itself to

multiple

machines

2 Duplicates

content from the

hard drive 3

Sends duplicate

content to an

unknown IP

address

4

Leveraging the power of Attack Chain Weaving, AMP is able to recognize patterns and activities of a

given file, and identify an action to look for across your environment rather than a file fingerprint or signature




Indications

of

Compromise

Breach

Hunting


Weaving

File trajectory automatically

records time, method, point of

entry, systems impacted and

prevalence of the file

Unknown file is downloaded

to device 1

Fingerprint is recorded and

sent to cloud for analysis 2 The unknown file travels

across the network to

different devices

3

Sandbox analytics

determines the file is

malicious and notifies all

devices

4

File trajectory provides

greater visibility into the

extent of an infection 5

Collective Security

Intelligence Cloud

Computer

Virtual Machine

Mobile

Mobile

Virtual Machine Computer

Network

Collective Security

Intelligence Cloud

Mobile

Mobile



Indications

of

Compromise

Breach

Hunting


Weaving

Computer

Unknown file is downloaded to a

particular device 1

The file moves around the

device, executing different

operations 2

Meanwhile, device trajectory

records the root cause, lineage

and actions of the files on a

machine

3

That data pinpoint the exact

cause and extent of the

compromise on the device 4


Drive #1 Drive #2 Drive #3


Comprehensive Environment Protection with AMP Everywhere

AMP Protection

Method

Ideal for

Content

License with ESA or WSA

New or existing Cisco Email or Web Security customers

Network

Stand Alone Solution

-or-

Enable AMP on FirePOWER

Appliance

NGIPS/NGFW customers

Endpoint

Install on endpoints

Windows, Mac, Android, VMs

Cisco Advanced Malware Protection

Threat Vector Email and Web Networks Devices


How Cisco AMP Works: Network File Trajectory Use Case


An unknown file is present

on IP: 10.4.10.183, having

been downloaded from

Firefox


Seven hours later the file is

then transferred to a third

device (10.3.4.51) using an

SMB application


The file is copied yet again

onto a fourth device

(10.5.60.66) through the

same SMB application a half

hour later


The Cisco Collective

Security Intelligence Cloud

has learned this file is

malicious and a

retrospective event is raised

for all four devices

immediately.


At the same time, a device

with the FireAMP endpoint

connector reacts to the

retrospective event and

immediately stops and

quarantines the newly

detected malware


8 hours after the first attack,

the Malware tries to re-enter

the system through the

original point of entry but is

recognized and blocked.

44

It also connected to a publically available

geolocation script to discover the geo of the

infected endpoint as part of its enrollment to the

CnC

45

Searching for connections to j.maxmind.com, an analyst

can also determine endpoints making this suspicious

traffic to discover new infected enpoints


Se

cu

rity

Eff

ec

tive

ne

ss

TCO per Protected-Mbps

The Results Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value

Cisco Advanced

Malware Protection

Best Protection Value

99.0% Breach

Detection Rating

Lowest TCO per

Protected-Mbps

NSS Labs Security Value Map (SVM) for Breach Detection Systems

Security Effectiveness

Overall Product Ratings

Cisco-Sourcefire AMP Results – For Detection Capability Only

FirePOWER Platforms


Sourcefire AMP Detection Systems IP

S P

erf

orm

ance

and

Sca

labili

ty

Data Center Campus Branch Office SOHO Internet Edge

FirePOWER 7100 Series

500 Mbps – 1 Gbps

FirePOWER 7120/7125/8120

1 Gbps - 2 Gbps

FirePOWER 8100/8200

2 Gbps - 10 Gbps


10 Gbps – 40 Gbps


50 Mbps – 250 Mbps

From 50Mbps to 60Gbps

Modularity in 8000 Series

Fixed Connectivity in 7000 Series

Mixed SFPs in 7100 Series

Configuration Fail-Open & Fail-Close across all

Scalable 8000 Series

Runs NGIPS, AMP and App Control in the same chassis


Choose external SSL

for high-bandwidth and

ability to inspect with

other solutions, e.g. DLP

SSL Decryption Server

Client

Encrypted

Encrypted

FirePOWER

Decrypted

SSL Appliance

SSL Appliance vs Integrated SSL

Use new built-in SSL inspection for

simplicity and cost-effectiveness

V5.4 onwards only

Fire and ISE

Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

EPS REST API

Threat Detection • IDS Sig • Malware • Traffic • Application • And Many More..

Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense

Quarantine Action • VLAN Assignment • dACLs • SGT • QoS TAG

ISE

cisco yeni nesil güvenlik - cisco connect tr '14

Internet

cisco public firesight

processes cisco

stealth cisco andor

cisco public gartner

cisco public context

intrusion events cisco

executive office cisco

cisco public todays