next generation security - cisco€¦ · next generation security john tzortzakakis...

© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential

Next Generation Security John Tzortzakakis

[email protected]

Security Solutions Architect - Security Business Group


Have Questions?

• Cisco and SourceFire together, why?

• Cisco is “Open Source”?

• Finally, what is THE problem?

• How Cisco and SourceFire is helping you to solve it?

• Why is this better?

• How can you benefit?


In the News… • On October 8, 2013 Cisco completed the acquisition of Sourcefire, a Columbia,

MD based industry leader in intelligent cybersecurity products and services for the enterprise, public sector and midmarket.

• “Sourcefire delivers innovative, highly automated security, through continuous awareness, detection and protection across its industry-leading portfolio, including next-generation intrusion prevention systems, next-generation firewall, and advanced malware protection.”

• Together, Cisco and Sourcefire will combine their world-class products and technologies to provide continuous and pervasive advanced threat protection across the entire attack continuum and from any device to any cloud.


Who is Sourcefire?

• Founded in 2001

• Led by cyber-security-focused individuals

• Security from Cloud to Core

• Market leader in (NG)IPS

• Groundbreaking Advanced Malware Protection solution

• Innovative – 52+ patents issued or pending

• Pioneer in IPS, context-driven security, advanced malware

• World-class research capability

Gartner MQ Leader

since 2006.


The Open Source Philosophy

• Owner of major Open Source security projects:

• Snort, ClamAV, Razorback, OppenAppID

• Open source is about building great software in a collaborative manner with the people who will use it and giving them what they need to solve complex problems.

• In the security context, it's also about building trust from the community of users by demonstrating technical excellence, trustworthiness, thought leadership and a considered approach to what is important as it relates to the problem at hand.

• Legacy of Success (Linux, Apache, Snort)

• Robustness of community

• No ‘black box’ functionality

• Weaknesses exposed and corrected


The ‘Next Generation Security’ Perspective (NGS)


Some Critical Definitions… • Industry is focused on NGFW

• What is it?

• Defined by a new vendor, Palo Alto Networks, positioning Application Visibility as THE new construct for Firewall policy (App-ID)

- The rest of the industry has followed due to PANs aggressive marketing and ‘perceived’ visibility

- NetworkWorld and NSS investigations have proven Application Visibility efficacy is only 30-40% - recommended to NOT be used as a security control

• NGFW definition: (Stateful)FW, AVC, IPS, URL, User Identity, AV/AS

• Industry should be focused on Next-Generation SECURITY

• High Efficacy Threat Controls and Defenses + Forensics / Threat Containment

• Integration with existing building blocks, like FW, URL, Devices, Etc.

• Integration throughout the network – not just on one box


The Problem is THREATS


If you knew you were going

to be compromised, would

you do security differently?


The Next Generation Security Model

BEFORE Detect

Block

Defend

DURING AFTER Control

Enforce

Harden

Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous



BEFORE Detect

Block

Defend


Enforce

Harden

Scope

Contain

Remediate

Attack Continuum



BEFORE THE ATTACK: You need to know what's on your

network to be able to defend it – devices / OS / services /

applications / users (FireSight)

Access Controls, Enforce Policy, Manage Applications And

Overall Access To Assets.

Access Controls reduce the surface area of attack, but there will

still be holes that the bad guys will find.

ATTACKERS DO NOT DISCRIMINATE. They will find any gap

in defenses and exploit it to achieve their objective



BEFORE Detect

Block

Defend


Enforce

Harden

Scope

Contain

Remediate

Attack Continuum



DURING THE ATTACK:

Must have the highest efficacy threat detection mechanisms possible

Detection methods MUST be Multi-dimensional and correlated

Once we detect attacks, NGS can block them and dynamically defend the environment



BEFORE Detect

Block

Defend


Enforce

Harden

Scope

Contain

Remediate

Attack Continuum



AFTER THE ATTACK:

invariably some attacks will be successful, and customers need to be able to determine the scope of the

damage, contain the event, remediate, and bring operations back to normal

Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can

manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud



BEFORE Detect

Block

Defend


Enforce

Harden

Scope

Contain

Remediate

Attack Continuum



Continuous vs. Point-In-Time inspection: We leverage cloud-based big

data analytics to go beyond point-in-time detection, constantly re-

evaluating new and historical data gathered over time to detect stealthy

attacks.

We also retrospectively inspect and alert the customer if the disposition of

a file changes. With point-in-time detection methods, the file is inspected

once (first observation). If no conviction is made, it will continue to evade

detection.


Mapping Technologies to the Model

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Visibility and Context

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM/NAC

IPS

Anti-Virus

Email/Web

IDS

FPC

Forensics

AMD

Log Mgmt

SIEM


Strategic Imperatives

Visibility Driven

Network Integrated,

Broad Sensor Base,

Context & Automation

Threat Focused

Continuous Advanced Threat

Protection, Cloud-Based

Security Intelligence


Platform Based

Agile & Open Platforms,

Built for Scale, Consistent

Control, Management


Collective


Reduce Complexity and Increase Capability

Device Control Platform

Host | Mobile | Virtual

Network Control Platform

Appliances | Virtual

Cloud Services Control Platform

Hosted

Centralized Management Appliances | Virtual


Contextual Visibility

Who

What

Where

When

How

Focus on these

users first

These

applications are

affected

The breach

impacted

these areas

This is the scope

of exposure over

time

Here is the origin

and progression

of the threat

Giving you the assurance and visibility

to know exactly where to start


180,000+ File Samples per Day

Advanced Microsoft

and Industry Disclosures

FireAMP™ Community, Snort and

ClamAV Open Source Communities

Sourcefire AEGIS™ Program

Private and Public Threat Feeds

Honeypots, Dynamic Analysis

Built on unmatched Collective Security Intelligence

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

1.6 million global sensors

100 TB of data received per day

150 million+ deployed endpoints

600+ engineers, technicians,

and researchers

35% worldwide email traffic

13 billion web requests

24x7x365 operations

40+ languages

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00 Cisco®

SIO

Sourcefire

VRT®

(Vulnerability

Research Team)

Email Endpoints Web Networks IPS Devices

WWW

Cisco Collective


AMP Files NGIPS

SIO + Sourcefire VRT represents the industry’s

largest collection of real-time threat intelligence,

with the broadest visibility, longest tenure (>10

years of threat data), largest footprint and ability to

put it into action across multiple security platforms


Cisco and Sourcefire – Better Together

• Built around visibility and context

• Focus on threats in addition to policy

• Reduces complexity, increases capabilities

• A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests – even at the client

• Enabled by world-class research & open source


The Next Generation

Security Difference


What Cisco | Sourcefire Shows you…

Target Context that is imperative to a Threat-Centric Security System

What is this host? Windows Server

What is the OS? Server 2008

Are vulnerabilities tracked on each host? Yes - Potential and Active Vulnerabilities

known at all times – Full Context: Internal IP address, location, criticality, User,

Potential and Active Vulnerabilities

How are vulnerabilities known? Passive Visibility monitors the entire network with

FireSIGHT– vulnerability data is available in real-time on all types of systems; mobile,

PC-based, Network devices


For the analyst: Fastest meaningful actionable data

Event: Attempted Privilege Gain

Target: 96.16.242.135


Target: 96.16.242.135 (vulnerable)

Host OS: Blackberry

Apps: Mail, Browser, Twitter

Location: Ljubljana, Slovenia


Target: 96.16.242.135 (vulnerable)

Host OS: Blackberry

Apps: Mail, Browser, Twitter

Location: Ljubljana, Slovenia

User ID: bpahor

Full Name: Borut Pahor

Department: Executive Office

Context has the capability of fundamentally changing the interpretation of your event data.

The basic event that

indicates a potential

compromise

System reports that the

target is “Vulnerable” and

apps running on that host.

Notice the Location of the

attack….

The next 30 minutes of this

Security analysts life are

now “Career Defining”


What is FireAMP? Integrated Advanced Malware Protection

• Reporting

• Analysis

• Trajectory

• Control

continuous analysis

Improves visibility before,

during, and after the attack

- Enables Retrospective

Security

contextual information for all

files/activity

- Preserves context for later analysis

- Parent/Child relationships facilitate

root cause identification

provides real-time results

Finds all affected hosts in seconds

using a file hash or other attribute

integrated remediation

- Stops the outbreak enterprise-

wide with a simple policy update


Cisco FirePOWER Next-Generation Security

CATEGORIES

EXAMPLES

FirePOWER

Services

TYPICAL

IPS

TYPICAL

NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔

Malware Conficker, Flame ✔ ✗ ✗

Command & Control Servers C&C Security Intelligence ✔ ✗ ✗

Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗

Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Windows, Linux ✔ ✗ ✗

Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗

Mobile Devices iPhone, Android, Jail ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Avaya, Polycom ✔ ✗ ✗

Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗

Broad contextual awareness Enterprise-class management and automation

Granular application controls Security policy tied to specific application risk


Device and Policy Management: Today


Device and Policy Management: Future


Cisco and Sourcefire—Better Together

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

Client

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis


Summary

• Cisco and Sourcefire – Better together

• Network-wide visibility – best in class efficacy – lowest TCO

• Reduce complexity, increase capabilities, leverage your investment

• A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests

• No need to sacrifice your Security for a ‘trendy’ box – your safety is too important

next generation security - cisco€¦ · next generation security john tzortzakakis...

Documents