Intelligent Cybersecurity for the Real World Hermes Romero Regional Security Sales, Sourcefire

Transcription

Intelligent Cybersecurity for the Real World Hermes Romero Regional Security Sales, Sourcefire
Intelligent Cybersecurity
for the Real World
Hermes Romero
Regional Security Sales, Sourcefire
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
Comprehensive Security Portfolio
Firewall & NGFW
•
•
Cisco ASA 5500-X Series
Cisco ASA 5500-X w/
IPS & NGIPS
•
•
NGFW license
•
•
Advanced Malware
Protection
Cisco IPS 4300 Series
•
FireAMP
Series integrated IPS
•
FireAMP Mobile
Cisco ASA 5500-X
Cisco ASA 5585-X w/
•
FirePOWER NGIPS
•
FireAMP Virtual
NGFW blade
•
FirePOWER NGIPS w/
•
AMP for FirePOWER
FirePOWER NGFW
FirePOWER Virtual
•
•
Cisco Email Security
Appliance (ESA)
•
•
(vESA)
•
Cisco Web Security
Appliance (WSA)
•
Cisco Virtual Web Security
Appliance (vWSA)
•
Cisco Cloud Web Security
Dedicated AMP
VPN
•
Cisco AnyConnect VPN
UTM
•
Meraki MX
Cisco Identity Services
Engine (ISE)
Cisco Virtual Email
Security Appliance
•
NAC +
Identity Services
Web Security
FirePOWER appliance
NGIPS
Email Security
Cisco
Sourcefire
license
Application Control
•
•
•
•
Cisco Access Control
Server (ACS)
Cisco Cloud Email
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Sourcefire
Background and
Market Leadership
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Leveraging A Powerful Community
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
The New Security Model
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Network
Endpoint
Point in Time
© 2013 Cisco and/or its affiliates. All rights reserved.
Mobile
Virtual
Cloud
Continuous
Cisco Confidential
5
CUBRIENDO EL ATAQUE CONTINUO
Attack Continuum
ANTES
DURANTE
DESPUÉS
Control
Política
Tuning
Detectar
Bloquear
Defender
Alcance
Contener
Remediar
Firewall
VPN
NGIPS
Advanced Malware Protection
NGFW
UTM
Web Security
Network Behavior Analysis
NAC + Identity Services
Email Security
Visibility and Context
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Leadership
The Path “Up and Right”
challengers
leaders
McAfee
ability to execute
Sourcefire
(Cisco)
HP
Cisco
IBM
NSFOCUS
Information Technology
Sourcefire has been
a leader in the
Gartner Magic
Quadrant for IPS
since 2006.
StoneSoft (McAfee)
Radware
Enterasys Networks
(Extreme Networks)
niche players
© 2013 Cisco and/or its affiliates. All rights reserved.
Huawei
vision
visionaries
As of December 2013
Source: Gartner (December 2013)
Cisco Confidential
7
FirePOWER™ NGIPS Best-in-Class
•
Best Threat Effectiveness
•
Highest Throughput
•
Most Sessions
•
Best Value
(lowest TCO/protected Mbps)
"For the past five years,
Sourcefire has consistently
achieved excellent results in
security effectiveness based on
our real-world evaluations of
exploit evasions, threat block
rate and protection capabilities.”
Vikram Phatak, CTO NSS Labs, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved.
Top Ratings (8290)*
 99.4% detection & protection
 136Gbps inspected throughput
 60M concurrent connections
 $13.6 TCO / protected Mbps
*NSS Labs 2014 Data Center IPS Product Analysis Report
Cisco Confidential
8
Sourcefire NGIPS
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Security is About Detecting,
Understanding, & Stopping Threats
Today’s Reality:
621 breaches in 2012
High speed inspection of content
• 92% stemmed from
external agents
• 52% utilized some form
123.45.67.89
Johnson-PC
SQL
of hacking
• 40% incorporated
12.122.13.62
OS: Windows 7
hostname: laptop1
User: jsmith
IP: 12.134.56.78
malware
• 78% of attacks not
highly difficult
2013 Verizon Data Breach
Investigation Report
Reality: today's threats require a philosophy
of threat prevention as core to security.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
Sourcefire’s Security Solutions
Management Center
APPLIANCES | VIRTUAL
NEXTGENERATION
FIREWALL
NEXTGENERATION
INTRUSION
PREVENTION
CONTEXTUAL AWARENESS
ADVANCED
MALWARE
PROTECTION
COLLECTIVE
SECURITY
INTELLIGENCE
HOSTS | VIRTUAL MOBILE
APPLIANCES | VIRTUAL
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
FireSIGHT™ Full Stack Visibility
SOURCEFIRE
FireSIGHT
TYPICAL
IPS
TYPICAL
NGFW
CATEGORIES
EXAMPLES
Threats
Attacks, Anomalies
✔
✔
✔
Users
AD, LDAP, POP3
✔
✗
✔
Web Applications
Facebook Chat, Ebay
✔
✗
✔
Application Protocols
HTTP, SMTP, SSH
✔
✗
✔
File Transfers
PDF, Office, EXE, JAR
✔
✗
✔
Malware
Conficker, Flame
✔
✗
✗
Command & Control Servers
C&C Security Intelligence
✔
✗
✗
Client Applications
Firefox, IE6, BitTorrent
✔
✗
✗
Network Servers
Apache 2.3.1, IIS4
✔
✗
✗
Operating Systems
Windows, Linux
✔
✗
✗
Routers & Switches
Cisco, Wireless
✔
✗
✗
Mobile Devices
iPhone, Android, Jail
✔
✗
✗
Printers
HP, Xerox, Canon
✔
✗
✗
VoIP Phones
Cisco, Avaya, Polycom
✔
✗
✗
Virtual Machines
VMware, Xen, RHEV
✔
✗
✗
Information Superiority
© 2013 Cisco and/or its affiliates. All rights reserved.
Contextual
Awareness
Cisco Confidential
12
FireSIGHT™ Context Explorer
View all application
traffic…
Look for risky
applications…
What else have these users been up to?
Who is using them?
On what operating systems?
What does their traffic look like over time?
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
FireSIGHT™ Enables Automation
IT Insight
Impact Assessment
Spot rogue hosts, anomalies, policy
violations, and more
Threat correlation reduces
actionable events by up to 99%
Automated Tuning
User Identification
Adjust IPS policies automatically
based on network change
Associate users with security
and compliance events
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Robust Partner Ecosystem
Vulnerability Management
Custom Detection
Full Packet
Capture
Incident Response
NAC
BEFORE
DURING
AFTER
Policy and
Control
Identification
and Block
Analysis and
Remediation
Network Access
Taps
Infrastructure & Mobility
Visualization
SIEM
Combined API Framework
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
Sourcefire NGFW
Application Control
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
Reduce Risk Through Granular Application Control
Control access for applications, users and devices
• “Employees may view Facebook, but only Marketing may post to it”
• “No one may use peer-to-peer file sharing apps”
Over 2,200
apps, devices,
and more!
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Dashboard
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
Application Control Example
Prevent BitTorrent
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
URL Filtering
•
Block non-business-related sites by category
•
Based on user and user group
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
Don’t Forget: Apps are Often Encrypted!
and
default to SSL
Benefits of Sourcefire off-box decryption solution:
•
Improved Performance – acceleration and policy
•
Centralized Key Management
•
Interoperable with 3rd party products
SSL1500
SSL2000
SSL8200
1.5 Gbps
2.5 Gbps
3.5 Gbps
4 Gbps total
10 Gbps total
20 Gbps total
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
FirePOWER™ & FireAMP™
Advanced Malware
Protection (AMP) Solution
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
In Spite of Layers of Defense
Attack Continuum
BEFORE
Discover
Enforce
Harden
Malware is
getting
through
control based
defenses
DURING
AFTER
Detect
Block
Defend
Scope
Contain
Remediate
Malware
Prevention
is NOT
100%
Breach
Existing tools are
labor intensive and require
expertise
Each stage represents a separate process
silo attackers use to their advantage.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
APT / Advanced Malware
Is now a tool for financial gain
• Uses formal Development Techniques
•
Sandbox aware
•
Quality Assurance to evade detection
•
24/7 Tech support available
• Has become a math problem
•
End Point AV Signatures ~20 Million
•
Total KNOWN Malware Samples ~100 M
•
AV Efficacy Rate ~50%
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Sourcefire Advanced Malware Protection
Retrospective Security
• Comprehensive
Network + Endpoint
• Continuous Analysis
• Integrated Response
• Big Data
Analytics
• Control &
Remediation
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
The Real Cost of Malware
Responding to an infection = Headaches = Time = $$
• Where do I start?
• How bad is the situation?
• What systems were
impacted?
• How do we recover?
• How do we keep it from
happening again?
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
The Real Cost of Malware
Responding to an infection = Headaches = Time = $$
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Beyond the Event Horizon
Analysis Stops
Addresses limitations of point-in-time
detection
Point-in-time Detection
Not 100%
Antivirus
Sleep
Techniques
Unknown
Protocols
Encryption
Sandboxing
Blind to
scope of
compromise
Polymorphism
Initial Disposition = Clean
Actual Disposition = Bad = Too Late!!
Retrospective Detection,
Analysis Continues
Turns back
time
Continuous
Visibility and
Control are
Key
Initial Disposition = Clean
© 2013 Cisco and/or its affiliates. All rights reserved.
Actual Disposition = Bad = Blocked
Cisco Confidential
28
File Trajectory
Quickly understand the scope of malware problem
Network
+
Endpoint
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
FirePOWER™
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
FirePOWER™ Appliances Summary
All appliances
include:
• Integrated lights-out
management
• Sourcefire acceleration
technology
• LCD display
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
Network Virtual Appliances
DC
• Virtual Sensor
• Virtual Defense Center
• Inline or passive deployment
• Deployed as virtual appliance
• Manages up to 25 sensors
o physical and virtual
o single pane-of-glass
• Use Cases
o SNORT Conversion
o Small / Remote Sites
o Virtualized workloads (PCI)
• Use Cases
o Rapid Evaluation
o Pre-production Testing
o Service Providers
• Full NGIPS Capabilities
NOTE: Supports ESX(i) 4.x and 5.x on Sourcefire 5.x platforms. Supports RHEV 3.0 and
Xen 3.3.2/3.4.2 on Soucefire 4.x platforms only.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
PREGUNTAS??
Gracias!
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33