Next Generation Security

Download Next Generation Security

Post on 12-Jul-2015

457 views

Category:

Technology

1 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>Next Generation Security </p><p>Rob Bleeker </p><p>Security Consulting Systems Engineer </p><p>CCIE# 2926, CISSP </p><p>Justin Malczewski </p><p>1234567890 </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 </p><p>The Industrialization of Hacking </p><p>1990 2020 2015 2010 2005 2000 1995 </p><p>Phishing, Low </p><p>Sophistication </p><p>Hacking Becomes </p><p>an Industry </p><p>Sophisticated </p><p>Attacks, Complex </p><p>Landscape </p><p>Viruses 19902000 </p><p>Worms 20002005 </p><p>Spyware and Rootkits 2005Today </p><p>APTs Cyberware Today + </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 </p><p>How Bad 2013 and Beyond </p><p>145 Million 152 Million </p><p>70 Million </p><p>60 Million </p><p>50 Million </p><p>50 Million and a lot more!!!!!! </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 </p><p>Needs to be a Better Approach </p><p>Current approach has never worked! </p><p>Imagine Security as an Architecture </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 </p><p>The New Security Model </p><p>BEFORE Discover </p><p>Enforce </p><p>Harden </p><p>AFTER Scope </p><p>Contain </p><p>Remediate </p><p>Attack Continuum </p><p>Network Endpoint Mobile Virtual Cloud </p><p>Detect </p><p>Block </p><p>Defend </p><p>DURING </p><p>Point in Time Continuous </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 </p><p>Cyber Attack Chain </p><p>Recon Package Deliver Exploit Install CnC Act </p><p>BEFORE Discover </p><p>Enforce </p><p>Harden </p><p>AFTER Scope </p><p>Contain </p><p>Remediate </p><p>During Detect </p><p>Block </p><p>Prevent </p><p>Visibility and Context </p><p>Firewall </p><p>NGFW </p><p>NAC + Identity Services </p><p>VPN </p><p>UTM </p><p>NGIPS </p><p>Web Security </p><p>Email Security </p><p>Advanced Malware Protection </p><p>Network Behavior Analysis </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 </p><p>The better you can protect. </p><p>The More You See </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 </p><p>Visibility Control </p><p> 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 101000 0110 00 0111000 111010011 101 1100001 </p><p> 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 101000 0110 00 0111000 111010011 101 1100001 11000 </p><p>CiscoSecurity Intelligence Operation (SIO) </p><p>Cisco SIO </p><p>WWW Email Web Devices </p><p>IPS Endpoints Networks </p><p>More Than 150 Million DEPLOYED ENDPOINTS </p><p>100 TB DATA RECEIVED PER DAY </p><p>1.6 Million GLOBAL SENSORS </p><p>40% WORLDWIDE EMAIL TRAFFIC </p><p>13 Billion WEB REQUESTS </p><p>Cloud AnyConnect IPS </p><p>ESA WSA ASA WWW </p><p>3 to 5 MINUTE UPDATES </p><p>More Than 200 PARAMETERS TRACKED </p><p>More Than 5500 IPS SIGNATURES PRODUCED </p><p>More Than 8 Million RULES PER DAY </p><p>More Than 70 PUBLICATIONS PRODUCED </p><p>Information </p><p>Actions </p><p>More Than 40 LANGUAGES </p><p>More Than 80 PH.D, CCIE, CISSP, MSCE </p><p>More Than $100 </p><p>Million SPENT IN DYNAMIC RESEARCH </p><p>AND DEVELOPMENT </p><p>24 Hours Daily OPERATIONS </p><p>More Than 800 ENGINEERS, TECHNICIANS, </p><p>AND RESEARCHERS </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 </p><p>Collective Security Intelligence </p><p>IPS Rules </p><p>Malware Protection </p><p>Reputation Feeds </p><p>Vulnerability Database Updates </p><p>Sourcefire AEGIS Program </p><p>Private and Public </p><p>Threat Feeds Sandnets </p><p>FireAMP Community </p><p>Honeypots </p><p>Advanced Microsoft </p><p>and Industry Disclosures </p><p>SPARK Program Snort and ClamAV </p><p>Open Source Communities </p><p>File Samples (&gt;380,000 per Day) </p><p>Sourcefire VRT </p><p>(Vulnerability Research Team) </p><p>Sandboxing Machine Learning </p><p>Big Data Infrastructure </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 </p><p>ASA with FirePower Services </p></li><li><p>Mission: </p><p>Founded in 2001 by Marty Roesch </p><p>Security from Cloud to Core </p><p> Market leader in (NG)IPS </p><p> Recent entrant to NGFW space with strong offering </p><p> Groundbreaking Advanced Malware Protection solution </p><p>Innovative 52+ patents issued or pending </p><p> Pioneer in IPS, context-driven security, advanced malware </p><p>World-class research capability </p><p>Owner of major Open Source security projects </p><p> Snort, ClamAV, Razorback </p></li><li><p>13 </p><p>Sourcefire Security Solutions </p><p>COLLECTIVE </p><p>SECURITY </p><p>INTELLIGENCE </p><p>Management Center APPLIANCES | VIRTUAL </p><p>NEXT- GENERATION </p><p>FIREWALL </p><p>NEXT- GENERATION </p><p>INTRUSION </p><p>PREVENTION </p><p>ADVANCED </p><p>MALWARE </p><p>PROTECTION </p><p>CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE </p><p>APPLIANCES | VIRTUAL </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 </p><p>FirePOWER Services for ASA: Components </p><p>ASA 5585-X </p><p>FirePOWER Services Blade </p><p> Models: ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X </p><p> SSD Drive Required </p><p> FirePOWER Services Software Module </p><p> Licenses and Subscriptions </p><p> Models: ASA 5585-X-10, ASA 5585-X-20, ASA 5585-X-40, ASA 5585-X-60 </p><p> New FirePOWER Services Hardware Module Required </p><p> Licenses and Subscriptions </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 </p><p>2014 NSS Labs SVM for NFGW </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 </p><p>Functional Distribution </p><p>ACL </p><p>NAT </p><p>VPN Termination </p><p>Routing </p><p>Advanced Malware Protection </p><p>AVC (App Control) </p><p>NGIPS </p><p>URL Filtering </p><p>FirePOWER Services </p><p>Module </p><p>Base ASA </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 </p><p>Next Generation Security on a Trusted Firewall </p><p>FirePOWER Services </p><p>NGIPS, NGFW/AVC, AMP </p><p>FireSIGHT Management Center </p><p>Comprehensive SECOPS Workflows </p><p>Cisco Security Manager (CSM) or ASDM </p><p>Comprehensive NETOPS Workflows </p><p>ASA Software </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 </p><p>Why does this matter Application visibility efficacy is NOT a 100%.Today the best efficacy around App ID is about 65%. If you are looking to strengthen your overall security posture then building policies with 65% </p><p>efficacy is putting your organization at risk. This creates a hit and miss security model. </p><p> Application ID is non deterministic, applications are evasive, what happens with unknown applications. </p><p> Logging of unknown application should take place and silent drops are forbidden in security you need to know what has happened even if the applications has not been identified </p><p>Cisco Still Understands the Value of APP Visibility/Control Application visibility and control and web filtering has been within Ciscos portfolio for 5+ years. </p><p>We have led this with our Cisco Ironport WSA and our CWS (Scansafe) solutions. (we have </p><p>brought this quadrant leading product to our next generation ASA platform) </p><p> Built upon a strong traditional stateful firewall platform that has been proven within the industry. </p><p>Cisco is solving the application ID efficacy with OpenAppID </p><p>NGFW RealitiesOpenAppID </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 </p><p>NGFW Realities The Blocks of Building the Best NGFW Difficult to Build at Best </p><p>Good Great Poor </p><p>How Cisco will be adding FireAMP for Malware and </p><p>SourceFire NGIPS and further </p><p>ISE integration. </p><p>Very Difficult to build the best of </p><p>breed for all elements that make </p><p>a NGFW. Note: the great, good, </p><p>and poor changes depending on </p><p>the product referenced. </p><p>NGFW Today </p><p>Traditional FW </p><p>VPN APP URL IPS </p><p>Malware </p><p>Visibility and Integration </p><p>ASA with </p><p>Firepower Services </p><p>Traditional FW </p><p>VPN APP URL IPS </p><p>Malware </p><p>Visibility and Integration </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 </p><p>FirePOWER Services: Application Control </p><p> Control access for applications, users and devices </p><p> Employees may view Facebook, but only Marketing may post to it </p><p> No one may use peer-to-peer file sharing apps </p><p>Over 3,000 </p><p>apps, devices, </p><p>and more! </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 </p><p>Application Control </p><p>Social: </p><p>Security and </p><p>DLP </p><p>Mobile: </p><p>Enforce </p><p>BYOD Policy Bandwidth: </p><p>Recover </p><p>Lost </p><p>Bandwidth </p><p>Security: </p><p>Reduce </p><p>Attack </p><p>Surface </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 </p><p>FirePOWER Services: URL Filtering </p><p> Block non-business-related sites by category </p><p> Based on user and user group </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 </p><p>FireSIGHT Full Stack Visibility </p><p>CATEGORIES </p><p>EXAMPLES </p><p>FirePOWER Services TYPICAL </p><p>IPS </p><p>TYPICAL </p><p>NGFW </p><p>Threats Attacks, Anomalies </p><p>Users AD, LDAP, POP3 </p><p>Web Applications Facebook Chat, Ebay </p><p>Application Protocols HTTP, SMTP, SSH </p><p>File Transfers PDF, Office, EXE, JAR </p><p>Malware Conficker, Flame </p><p>Command &amp; Control Servers C&amp;C Security Intelligence </p><p>Client Applications Firefox, IE6, BitTorrent </p><p>Network Servers Apache 2.3.1, IIS4 </p><p>Operating Systems Windows, Linux </p><p>Routers &amp; Switches Cisco, Nortel, Wireless </p><p>Mobile Devices iPhone, Android, Jail </p><p>Printers HP, Xerox, Canon </p><p>VoIP Phones Cisco phones </p><p>Virtual Machines VMware, Xen, RHEV </p><p>Contextual </p><p>Awareness Information Superiority </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 </p><p>Correlates all intrusion events to an impact of the attack against the target </p><p>Impact Assessment IMPACT FLAG ADMINISTRATOR ACTION WHY Act Immediately, </p><p>Vulnerable </p><p>Event corresponds to </p><p>vulnerability mapped </p><p>to host </p><p>Investigate, </p><p>Potentially </p><p>Vulnerable </p><p>Relevant port open or </p><p>protocol in use, but </p><p>no vuln mapped </p><p>Good to Know, </p><p>Currently Not </p><p>Vulnerable </p><p>Relevant port not </p><p>open or protocol not </p><p>in use </p><p>Good to Know, </p><p>Unknown Target </p><p>Monitored network, </p><p>but unknown host </p><p>Good to Know, </p><p>Unknown Network </p><p>Unmonitored network </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 </p><p>Cisco FireSIGHT Simplifies Operations </p><p> Impact Assessment and Recommended Rules Automate Routine Tasks </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 </p><p>Reduced Cost and Complexity </p><p> Multilayered protection in a single device </p><p> Highly scalable for branch, internet edge, and data centers </p><p> Automates security tasks </p><p>oImpact assessment </p><p>oPolicy tuning </p><p>oUser identification </p><p> Integrate transparently with third-party security solutions through eStreamer API </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 </p><p>The Power of Continuous Analysis </p><p>Point-in-time security sees a </p><p>lighter, bullet, cufflink, pen &amp; </p><p>cigarette case </p><p>Wouldnt it be nice to know if youre dealing with something more deadly? </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 </p><p>Indications of Compromise (IoCs) </p><p>IPS Events </p><p>Malware Backdoors </p><p>CnC Connections </p><p>Exploit Kits Admin Privilege </p><p>Escalations </p><p>Web App Attacks </p><p>SI Events </p><p>Connections to Known CnC IPs </p><p>Malware Events </p><p>Malware Detections </p><p>Malware Executions </p><p>Office/PDF/Java Compromises </p><p>Dropper Infections </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 </p><p>Advanced Malware Protection (FireAMP) </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 </p><p>Actual Disposition = Bad = Blocked </p><p>Antivirus </p><p>Sandboxing </p><p>Initial Disposition = Clean </p><p>Point-in-time Detection </p><p>Retrospective Detection, Analysis Continues </p><p>Initial Disposition = Clean </p><p>Continuous </p><p>Blind to scope of compromise </p><p>Sleep Techniques </p><p>Unknown Protocols </p><p>Encryption </p><p>Polymorphism </p><p>Actual Disposition = Bad = Too Late!! </p><p>Turns back time Visibility and Control are Key </p><p>Not 100% </p><p>Analysis Stops </p><p>Beyond the Event Horizon Addresses limitations of point-in-time detection </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 </p><p>1) File Capture </p><p>FirePOWER Services: Advanced Malware </p><p>Malware Alert! </p><p>2) File Storage </p><p>4) Execution Report </p><p> Available In Defense Center </p><p>Network Traffic </p><p>Collective Security </p><p>Intelligence Sandbox </p><p>3) Send to Sandbox </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 </p><p>Visibility and Context </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 </p><p>Visibility and Context </p><p>File Sent </p><p>File Received </p><p>File Executed </p><p>File Moved </p><p>File Quarantined </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 </p><p>FirePOWER Services for ASA: Subscriptions </p><p>FirePOWER Services for ASA Included </p><p>Appliance </p><p>Features </p><p>Configurable Fail Open Interfaces </p><p>Connection/Flow Logging </p><p>Network, User, and Application Discovery </p><p>Traffic filtering / ACLs </p><p>NSS Leading IPS Engine </p><p>Comprehensive Threat Prevention </p><p>Security Intelligence (C&amp;C, Botnets, SPAM etc) </p><p>Blocking of Files by Type, Protocol, and Direction </p><p>Basic DLP in IPS Rules (SSN, Credit Card etc.) </p><p>Access Control: Enforcement by Application </p><p>Access Control: Enforcement by User </p><p>IPS and App </p><p>Updates IPS Rule and Application Updates Annual Fee </p><p>URL Filtering URL Filtering Subscription Annual Fee </p><p>Malware </p><p>Protection </p><p>Subscription for Malware Blocking, Continuous File Analysis, </p><p>Malware Network Trajectory Annual Fee </p></li><li><p>High Availability and Clustering </p><p>Max 2 Units </p><p>Max 16 Units* </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 </p><p>Deploying ASA w/ FirePOWER Services </p><p> Available on all ASA platforms </p><p> State-sharing between Firewalls for high availability </p><p> L2 Transparent or L3 Routed deployment options </p><p> Failover Link </p><p> ASA provides valid, normalized flows to FirePOWER module </p><p> State sharing does not occur between FirePOWER Services Modules </p><p>High Availability with ASA Failover </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 </p><p>Multi-Context ASA Deployments </p><p> ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies </p><p> These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies. </p><p> In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside. </p><p> Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration. </p><p>Context A Context B </p><p>Outside </p><p>Inside </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 </p><p>Multi-Context ASA Deployments </p><p>Admin </p><p>Context Context-</p><p>1 </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 </p><p>Deploying ASA w/ FirePOWER Services </p><p> Up to 8 ASA5585-X IPS </p><p> Stateless load balancing by external switch </p><p> L2 Transparent or L3 Routed deployment options </p><p> Support for vPC, VSS and LACP </p><p> Cluster Control Protocol/Link </p><p> State-sharing between Firewalls for symmetry and high availability </p><p> Every session has a primary and secondary owner ASA </p><p> ASA provides traffic symmetry to FirePOWER module </p><p> Scaling IPS with ASA5585-X Clustering </p></li><li><p> 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 </p><p>Why ASA with FirePOWER Services? Worlds most widely deployed, enterprise-class ASA stateful firewall </p><p> Granular Application Visibility and Control (AVC) </p><p> Industry-leading...</p></li></ul>

Recommended

View more >