next generation security - cisco€¦ · next generation security john tzortzakakis...
TRANSCRIPT
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Next Generation Security John Tzortzakakis
Security Solutions Architect - Security Business Group
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Have Questions?
• Cisco and SourceFire together, why?
• Cisco is “Open Source”?
• Finally, what is THE problem?
• How Cisco and SourceFire is helping you to solve it?
• Why is this better?
• How can you benefit?
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
In the News… • On October 8, 2013 Cisco completed the acquisition of Sourcefire, a Columbia,
MD based industry leader in intelligent cybersecurity products and services for the enterprise, public sector and midmarket.
• “Sourcefire delivers innovative, highly automated security, through continuous awareness, detection and protection across its industry-leading portfolio, including next-generation intrusion prevention systems, next-generation firewall, and advanced malware protection.”
• Together, Cisco and Sourcefire will combine their world-class products and technologies to provide continuous and pervasive advanced threat protection across the entire attack continuum and from any device to any cloud.
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Who is Sourcefire?
• Founded in 2001
• Led by cyber-security-focused individuals
• Security from Cloud to Core
• Market leader in (NG)IPS
• Groundbreaking Advanced Malware Protection solution
• Innovative – 52+ patents issued or pending
• Pioneer in IPS, context-driven security, advanced malware
• World-class research capability
Gartner MQ Leader
since 2006.
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Open Source Philosophy
• Owner of major Open Source security projects:
• Snort, ClamAV, Razorback, OppenAppID
• Open source is about building great software in a collaborative manner with the people who will use it and giving them what they need to solve complex problems.
• In the security context, it's also about building trust from the community of users by demonstrating technical excellence, trustworthiness, thought leadership and a considered approach to what is important as it relates to the problem at hand.
• Legacy of Success (Linux, Apache, Snort)
• Robustness of community
• No ‘black box’ functionality
• Weaknesses exposed and corrected
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The ‘Next Generation Security’ Perspective (NGS)
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Some Critical Definitions… • Industry is focused on NGFW
• What is it?
• Defined by a new vendor, Palo Alto Networks, positioning Application Visibility as THE new construct for Firewall policy (App-ID)
- The rest of the industry has followed due to PANs aggressive marketing and ‘perceived’ visibility
- NetworkWorld and NSS investigations have proven Application Visibility efficacy is only 30-40% - recommended to NOT be used as a security control
• NGFW definition: (Stateful)FW, AVC, IPS, URL, User Identity, AV/AS
• Industry should be focused on Next-Generation SECURITY
• High Efficacy Threat Controls and Defenses + Forensics / Threat Containment
• Integration with existing building blocks, like FW, URL, Devices, Etc.
• Integration throughout the network – not just on one box
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Problem is THREATS
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
If you knew you were going
to be compromised, would
you do security differently?
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Next Generation Security Model
BEFORE Detect
Block
Defend
DURING AFTER Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Next Generation Security Model
BEFORE Detect
Block
Defend
DURING AFTER Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
BEFORE THE ATTACK: You need to know what's on your
network to be able to defend it – devices / OS / services /
applications / users (FireSight)
Access Controls, Enforce Policy, Manage Applications And
Overall Access To Assets.
Access Controls reduce the surface area of attack, but there will
still be holes that the bad guys will find.
ATTACKERS DO NOT DISCRIMINATE. They will find any gap
in defenses and exploit it to achieve their objective
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Next Generation Security Model
BEFORE Detect
Block
Defend
DURING AFTER Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
DURING THE ATTACK:
Must have the highest efficacy threat detection mechanisms possible
Detection methods MUST be Multi-dimensional and correlated
Once we detect attacks, NGS can block them and dynamically defend the environment
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Next Generation Security Model
BEFORE Detect
Block
Defend
DURING AFTER Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
AFTER THE ATTACK:
invariably some attacks will be successful, and customers need to be able to determine the scope of the
damage, contain the event, remediate, and bring operations back to normal
Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can
manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Next Generation Security Model
BEFORE Detect
Block
Defend
DURING AFTER Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Continuous vs. Point-In-Time inspection: We leverage cloud-based big
data analytics to go beyond point-in-time detection, constantly re-
evaluating new and historical data gathered over time to detect stealthy
attacks.
We also retrospectively inspect and alert the customer if the disposition of
a file changes. With point-in-time detection methods, the file is inspected
once (first observation). If no conviction is made, it will continue to evade
detection.
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Mapping Technologies to the Model
BEFORE Control
Enforce
Harden
DURING AFTER Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Visibility and Context
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Anti-Virus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Strategic Imperatives
Visibility Driven
Network Integrated,
Broad Sensor Base,
Context & Automation
Threat Focused
Continuous Advanced Threat
Protection, Cloud-Based
Security Intelligence
Network Endpoint Mobile Virtual Cloud
Platform Based
Agile & Open Platforms,
Built for Scale, Consistent
Control, Management
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Collective
Security Intelligence
Reduce Complexity and Increase Capability
Device Control Platform
Host | Mobile | Virtual
Network Control Platform
Appliances | Virtual
Cloud Services Control Platform
Hosted
Centralized Management Appliances | Virtual
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Contextual Visibility
Who
What
Where
When
How
Focus on these
users first
These
applications are
affected
The breach
impacted
these areas
This is the scope
of exposure over
time
Here is the origin
and progression
of the threat
Giving you the assurance and visibility
to know exactly where to start
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
180,000+ File Samples per Day
Advanced Microsoft
and Industry Disclosures
FireAMP™ Community, Snort and
ClamAV Open Source Communities
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Honeypots, Dynamic Analysis
Built on unmatched Collective Security Intelligence
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
600+ engineers, technicians,
and researchers
35% worldwide email traffic
13 billion web requests
24x7x365 operations
40+ languages
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00 Cisco®
SIO
Sourcefire
VRT®
(Vulnerability
Research Team)
Email Endpoints Web Networks IPS Devices
WWW
Cisco Collective
Security Intelligence
AMP Files NGIPS
SIO + Sourcefire VRT represents the industry’s
largest collection of real-time threat intelligence,
with the broadest visibility, longest tenure (>10
years of threat data), largest footprint and ability to
put it into action across multiple security platforms
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Cisco and Sourcefire – Better Together
• Built around visibility and context
• Focus on threats in addition to policy
• Reduces complexity, increases capabilities
• A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests – even at the client
• Enabled by world-class research & open source
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
The Next Generation
Security Difference
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
What Cisco | Sourcefire Shows you…
Target Context that is imperative to a Threat-Centric Security System
What is this host? Windows Server
What is the OS? Server 2008
Are vulnerabilities tracked on each host? Yes - Potential and Active Vulnerabilities
known at all times – Full Context: Internal IP address, location, criticality, User,
Potential and Active Vulnerabilities
How are vulnerabilities known? Passive Visibility monitors the entire network with
FireSIGHT– vulnerability data is available in real-time on all types of systems; mobile,
PC-based, Network devices
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
For the analyst: Fastest meaningful actionable data
Event: Attempted Privilege Gain
Target: 96.16.242.135
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browser, Twitter
Location: Ljubljana, Slovenia
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browser, Twitter
Location: Ljubljana, Slovenia
User ID: bpahor
Full Name: Borut Pahor
Department: Executive Office
Context has the capability of fundamentally changing the interpretation of your event data.
The basic event that
indicates a potential
compromise
System reports that the
target is “Vulnerable” and
apps running on that host.
Notice the Location of the
attack….
The next 30 minutes of this
Security analysts life are
now “Career Defining”
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
What is FireAMP? Integrated Advanced Malware Protection
• Reporting
• Analysis
• Trajectory
• Control
continuous analysis
Improves visibility before,
during, and after the attack
- Enables Retrospective
Security
contextual information for all
files/activity
- Preserves context for later analysis
- Parent/Child relationships facilitate
root cause identification
provides real-time results
Finds all affected hosts in seconds
using a file hash or other attribute
integrated remediation
- Stops the outbreak enterprise-
wide with a simple policy update
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Cisco FirePOWER Next-Generation Security
CATEGORIES
EXAMPLES
FirePOWER
Services
TYPICAL
IPS
TYPICAL
NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Avaya, Polycom ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
Broad contextual awareness Enterprise-class management and automation
Granular application controls Security policy tied to specific application risk
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Device and Policy Management: Today
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Device and Policy Management: Future
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Cisco and Sourcefire—Better Together
BEFORE Control
Enforce
Harden
DURING AFTER Detect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
Client
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
Summary
• Cisco and Sourcefire – Better together
• Network-wide visibility – best in class efficacy – lowest TCO
• Reduce complexity, increase capabilities, leverage your investment
• A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests
• No need to sacrifice your Security for a ‘trendy’ box – your safety is too important
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential