BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yaklaşımı

Next Generation Security

Fuat KILIÇ Consulting Systems Engineer - Security

Cisco and/or its affiliates. All rights reserved. Cisco Public

What would you do if you knew you would be compromised?!

BEFORE Discover Enforce Harden

DURING Detect Block

Defend

AFTER Scope

Contain Remediate

Network Endpoint Mobile Virtual Email & Web

Continuous Point-in-time

Attack Continuum

Cloud

7 Pillars of Cisco Security Offerings

Security Products

Threat Research

Trainings and Certification

Security Services

Security Solutions

3rd Party Partnerships

CVDs

Latest Security Acquisitions

Ironport – Email And Web Security

Lancope * – Behavioral Anomaly Detection

(*): Not a full acquisition

Cognitive – Big Data Analytics

Meraki – Cloud Managed UTM

Sourcefire – Next Generation IPS and APT

Threatgrid – Advance Malware Solutions

Neophasis – Security Consultancy

+5B USD

6 Sourcefire NGIPS & AMP Presentation

You should also know the Estate of Your Network

Network Servers

Operating Systems

Routers and Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines

Client Applications

Files

Users

Web Applications

Application Protocols

Services

Malware Command

and Control Servers

Vulnerabilities NetFlow

Network Behavior

You can not protect what you can not see

Processes

Cisco Next Generation Security


Gartner Defines Next-Generation IPS

8

NGIPS Definition

•  Standard First-Gen IPS •  Context Awareness •  Application Awareness

and full-stack visibility •  Content Awareness •  Adaptive Engine

Download at Sourcefire.com

*Source: “Defining Next-Generation Network Intrusion Prevention” Gartner, October 7, 2011


Context Awareness in Intrusion Events

9 9

Event: Attempted Privilege Gain Target: 96.16.242.135

Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: Blackberry Apps: Mail, Browser, Twitter Location: Whitehouse, US

Event: Attempted Privilege Gain Target: 96.16.242.135 (vulnerable) Host OS: Blackberry Apps: Mail, Browswer, Twitter Location: Whitehouse, US User ID: bobama Full Name: Barack Obama Department: Executive Office

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

FirePOWER Platform

http:// http:// WWW WWW

WWW WWW

FireSIGHT Management Center

FireSIGHT Management Center •  Context Awareness

•  Operating System Identification •  Fingerprint Applications (Web, Protocol & Client Versions) •  Service Enumeration (HTTP, SMPT, RDP…etc) •  Users Awareness •  24x7 Monitoring (Passive & Inline)

•  Identify Assets Potential Vulnerabilities (Weakness) •  Leveraging Visibility/vulnerabilities to “Adapt” •  Access Control Rules Enforcement •  Alerting, Correlation & Packets Capture FirePOWER Platform/Services •  Inspect, Detect, Drop, Allow…etc •  IPS, Application Control, Malware Inspection & URL

Rating •  Inline, Passive & Hybrid

Context Awareness in Intrusion Events


FireSIGHT Brings Unprecedented Network Visibility


FireSIGHT – Unique Visibility

Typical NGFW

Cisco FireSIGHT System

Typical IPS


Building Host Profile

OS & version Identified

Server applications and version

Client Applications

Who is at the host

Client Version

Application

What other systems / IPs did user have,

when?

§ Converting Data into Information

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Retrospective Security

Shrink Time between Detection and Cure

PDF Mail

Admin Request

PDF

Mail

Admin Request

Multi-vector Correlation

Early Warning for Advanced Threats

Host A

Host B

Host C

2 IoCs

5 IoCs

3 IoCs

Adapt Policy to Risks

WWW WWW WWW

Dynamic Security Control

http:// http:// WWW WEB

Automated, Integrated, Adaptive Threat Defense Superior Protection for Entire Attack Continuum

Context and Threat Correlation

Priority 1

Priority 2

Priority 3

Impact Assessment


FireSIGHT Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

Impact Flag Administrator Action Why

1 Act immediately, vulnerable

Event corresponds to vulnerability mapped to host

2 Investigate, potentially vulnerable

Relevant port open or protocol in use, but no vuln mapped

3 Good to know, currently not vulnerable

Relevant port not open or protocol not in use

4 Good to know, unknown target

Monitored network, but unknown host

0 Good to know, unknown network Unmonitored network


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors Exploit Kits

Web App Attacks CnC Connections

Admin Privilege Escalations

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections Office/PDF/Java Compromises

Malware Executions Dropper Infections


Gartner Leadership

Sourcefire has been a leader in

the Gartner Magic Quadrant for IPS

since 2006.

As of December 2013 Source: Gartner (December 2013)

Radware

StoneSoft (McAfee)

IBM Cisco HP

McAfee

Sourcefire (Cisco)

Huawei Enterasys Networks (Extreme Networks)

NSFOCUS Information Technology

challengers

abili

ty to

ex

ecut

e

leaders

visionaries niche players vision


2012 NSS Labs SVM for IPS






ASA with FirePOWER Services Available Now!!

Industry’s First Threat-Focused NGFW

#1 Cisco Security announcement of the year!

•  Integrating defense layers helps organizations get the best visibility

•  Enable dynamic controls to automatically adapt

•  Protect against advanced threats across the entire attack continuum

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services

Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

NSS Labs – Next-Generation Firewall Security Value Map

Source: NSS Labs 2014

The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment.

Cisco Advanced Malware Protection


•  Plan B: Retrospection

•  Track system behaviors without regard to disposition

•  Extend analysis beyond the event horizon

•  Contain & correct damage, expel embedded intruders

•  Reveals malicious activity and reduces response time

•  Mode: Incident Response

•  Plan A: Prevention

•  Speed: Real-time, dynamic decisions trained on data

•  Static and Dynamic Analysis for Threat Intelligence

•  High accuracy, low false positives / negatives

•  Bolster the walls, reduce attack surface

•  Mode: Security control

Do Security Different!


Plan A: The Prevention Framework

1-to-1 Signatures

Fuzzy Fingerprinting

Machine Learning

IOCs

Dynamic Analysis

Advanced Analytics

Device Flow Correlation


Advanced Analytics - Prevalence


Advanced Analytics - Prevalence


Plan A: The Prevention Framework

1-to-1 Signatures

Fuzzy Fingerprinting

Machine Learning

IOCs

Dynamic Analysis

Advanced Analytics

Device Flow Correlation

All Detection < 100%


Plan B: The Retrospection Framework

Retrospective Security

Continuous Protection


Plan B: Retrospection Framework

Continuous Analysis

time

Initial Disposition = CLEAN

file • When you can’t detect 100%, Retrospective Visibility is critical

x Retrospective Alert

sent later when Disposition = BAD

Analysis Continues

time

1-to-1, Fuzzy Fingerprints, Machine Learning, Sandboxing, etc;

Disposition = CLEAN

file • Sleep techniques • Unknown protocols • Encryption • Performance

x Actually…

Disposition = BAD … too late!

Typical Analysis

Analysis Stops After Initial Disposition


Comprehensive Environment Protection with AMP Everywhere

AMP Protection

Method

Ideal for

Content

License with ESA or WSA

New or existing Cisco Email or Web Security customers

Network

Stand Alone Solution -or-

Enable AMP on FirePOWER Appliance

NGIPS/NGFW customers

Endpoint

Install on endpoints

Windows, Mac, Android, VMs


Threat Vector Email and Web Networks Devices


How Cisco AMP Works: Network File Trajectory Use Case



An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8


Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application


The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later


The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.


At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware


8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.

© 2014 Cisco and/or its affiliates. All rights reserved. 41

Visual Point of Reference: What is AMP exactly? What does it look like?


Secu

rity

Effe

ctiv

enes

s

TCO per Protected-Mbps

The Results Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value


Best Protection Value

99.0% Breach

Detection Rating

Lowest TCO per Protected-Mbps

NSS Labs Security Value Map (SVM) for Breach Detection Systems

Security Effectiveness

Overall Product Ratings

Cisco-Sourcefire AMP Results – For Detection Capability Only

FirePOWER Platforms


Sourcefire AMP Detection Systems IP

S P

erfo

rman

ce a

nd S

cala

bilit

y

Data Center Campus Branch Office SOHO Internet Edge

FirePOWER 7100 Series 500 Mbps – 1 Gbps

FirePOWER 7120/7125/8120 1 Gbps - 2 Gbps

FirePOWER 8100/8200 2 Gbps - 10 Gbps

FirePOWER 8200 Series 10 Gbps – 40 Gbps

FirePOWER 7000 Series 50 Mbps – 250 Mbps

From 50Mbps to 60Gbps Modularity in 8000 Series Fixed Connectivity in 7000 Series Mixed SFPs in 7100 Series Configuration Fail-Open & Fail-Close across all Scalable 8000 Series Runs NGIPS, AMP and App Control in the same chassis


Choose external SSL for high-bandwidth and

ability to inspect with other solutions, e.g. DLP

SSL Decryption Server

Client

Encrypted

Encrypted

FirePOWER

Decrypted

SSL Appliance

SSL Appliance vs Integrated SSL

Use new built-in SSL inspection for simplicity and cost-effectiveness

V5.4 onwards only

Fire and ISE


EPS REST API

Threat Detection •  IDS Sig •  Malware •  Traffic •  Application •  And Many More..

Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense

Quarantine Action •  VLAN Assignment •  dACLs •  SGT •  QoS TAG

ISE