Cisco offers next generation security solutions to protect networks from advanced threats. Their offerings include the FireSIGHT management platform for continuous monitoring and visibility across the network. Key products discussed are the Sourcefire Next Generation IPS which provides context awareness, application control and advanced malware protection. Cisco has also made several security acquisitions to enhance their capabilities in areas like email/web security, behavioral analytics, and threat intelligence.
3. Cisco and/or its affiliates. All rights reserved. Cisco Public
What would you do if you knew you would be compromised?!
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Network Endpoint Mobile Virtual Email & Web
ContinuousPoint-in-time
Attack Continuum
Cloud
4. 7 Pillars of Cisco Security Offerings
Security Products
Threat Research
Trainings and Certification
Security Services
Security Solutions
3rd Party Partnerships
CVDs
5. Latest Security Acquisitions
Ironport – Email And Web Security
Lancope * – Behavioral Anomaly Detection
(*): Not a full acquisition
Cognitive – Big Data Analytics
Meraki – Cloud Managed UTM
Sourcefire – Next Generation IPS and APT
Threatgrid – Advance Malware Solutions
Neophasis – Security Consultancy
+5B USD
6. 6Sourcefire NGIPS & AMP Presentation
You should also know the Estate of Your Network
Network
Servers
Operating
Systems
Routers and
Switches
Mobile
Devices
Printers
VoIP
Phones
Virtual
Machines
Client
Applications
Files
Users
Web
Applications
Application
Protocols
Services
Malware
Command
and Control
Servers
Vulnerabilities
NetFlow
Network
Behavior
You can not protect what you can not see
Processes
8. Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Defines Next-Generation IPS
8
NGIPS Definition
• Standard First-Gen IPS
• Context Awareness
• Application Awareness
and full-stack visibility
• Content Awareness
• Adaptive Engine
Download at Sourcefire.com
*Source: “Defining Next-Generation Network Intrusion Prevention” Gartner, October 7, 2011
9. Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Awareness in Intrusion Events
99
Event: Attempted Privilege Gain
Target: 96.16.242.135
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browser, Twitter
Location: Whitehouse, US
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: Blackberry
Apps: Mail, Browswer, Twitter
Location: Whitehouse, US
User ID: bobama
Full Name: Barack Obama
Department: Executive Office
10. Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
FirePOWER Platform
http://
http://WWW WWW
WWW
WWW
FireSIGHT Management
Center
FireSIGHT Management Center
• Context Awareness
• Operating System Identification
• Fingerprint Applications (Web, Protocol & Client Versions)
• Service Enumeration (HTTP, SMPT, RDP…etc)
• Users Awareness
• 24x7 Monitoring (Passive & Inline)
• Identify Assets Potential Vulnerabilities (Weakness)
• Leveraging Visibility/vulnerabilities to “Adapt”
• Access Control Rules Enforcement
• Alerting, Correlation & Packets Capture
FirePOWER Platform/Services
• Inspect, Detect, Drop, Allow…etc
• IPS, Application Control, Malware Inspection & URL
Rating
• Inline, Passive & Hybrid
Context Awareness in Intrusion Events
11. Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Brings Unprecedented Network Visibility
12. Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT – Unique Visibility
Typical
NGFW
Cisco
FireSIGHT
System
Typical
IPS
13. Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Host Profile
OS & version
Identified
Server applications
and version
Client Applications
Who is at the host
Client Version
Application
What other systems /
IPs did user have,
when?
§ Converting Data into Information
14. Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Retrospective Security
Shrink Time between Detection and Cure
PDFMail
Admin
Request
PDF
Mail
Admin
Request
Multi-vector Correlation
Early Warning for Advanced Threats
Host A
Host B
Host C
2 IoCs
5 IoCs
3 IoCs
Adapt Policy to Risks
WWWWWW
WWW
Dynamic Security Control
http://
http://WWWWEB
Automated, Integrated, Adaptive Threat Defense
Superior Protection for Entire Attack Continuum
Context and Threat Correlation
Priority 1
Priority 2
Priority 3
Impact Assessment
15. Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Impact Assessment
Correlates all intrusion events
to an impact of the attack against the target
Impact Flag
Administrator
Action
Why
1 Act immediately,
vulnerable
Event corresponds
to vulnerability
mapped to host
2 Investigate,
potentially vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
3
Good to know,
currently not
vulnerable
Relevant port not
open or protocol
not in use
4 Good to know,
unknown target
Monitored network,
but unknown host
0 Good to know,
unknown network
Unmonitored network
16. Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
Exploit Kits
Web App Attacks
CnC Connections
Admin Privilege Escalations
SI Events
Connections
to Known CnC IPs
Malware Events
Malware Detections
Office/PDF/Java Compromises
Malware Executions
Dropper Infections
17. Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Leadership
Sourcefire has
been a leader in
the Gartner Magic
Quadrant for IPS
since 2006.
As of December 2013
Source: Gartner (December 2013)
Radware
StoneSoft (McAfee)
IBM
Cisco HP
McAfee
Sourcefire
(Cisco)
HuaweiEnterasys Networks
(Extreme Networks)
NSFOCUS
Information Technology
challengers
abilityto
execute
leaders
visionariesniche players
vision
18. Cisco and/or its affiliates. All rights reserved. Cisco Public
2012 NSS Labs SVM for IPS
19. Cisco and/or its affiliates. All rights reserved. Cisco Public
2013 NSS Labs SVM for IPS
20. Cisco and/or its affiliates. All rights reserved. Cisco Public
2015 NSS Labs SVM for IPS
21. Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services Available Now!!
Industry’s First Threat-Focused NGFW
#1 Cisco Security announcement of the year!
• Integrating defense layers helps organizations
get the best visibility
• Enable dynamic controls
to automatically adapt
• Protect against advanced threats
across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
31. 31Sourcefire NGIPS & AMP Presentation
Comprehensive Environment Protection with AMP Everywhere
AMP
Protection
Method
Ideal for
Content
License with ESA or WSA
New or existing Cisco Email
or Web Security customers
Network
Stand Alone Solution
-or-
Enable AMP on FirePOWER
Appliance
NGIPS/NGFW customers
Endpoint
Install on endpoints
Windows, Mac, Android, VMs
Cisco
Advanced
Malware
Protection
Threat Vector Email and Web Networks Devices
32. 32Sourcefire NGIPS & AMP Presentation
How CiscoAMP Works: Network File Trajectory Use Case
36. 36Sourcefire NGIPS & AMP Presentation
Seven hours later the file is
then transferred to a third
device (10.3.4.51) using an
SMB application
37. 37Sourcefire NGIPS & AMP Presentation
The file is copied yet again
onto a fourth device
(10.5.60.66) through the
same SMB application a half
hour later
38. 38Sourcefire NGIPS & AMP Presentation
The Cisco Collective
Security Intelligence Cloud
has learned this file is
malicious and a
retrospective event is raised
for all four devices
immediately.
39. 39Sourcefire NGIPS & AMP Presentation
At the same time, a device
with the FireAMP endpoint
connector reacts to the
retrospective event and
immediately stops and
quarantines the newly
detected malware
40. 40Sourcefire NGIPS & AMP Presentation
8 hours after the first attack,
the Malware tries to re-enter
the system through the
original point of entry but is
recognized and blocked.
42. Cisco and/or its affiliates. All rights reserved. Cisco Public
SecurityEffectiveness
TCO per Protected-Mbps
The Results
CiscoAMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value
Cisco Advanced
Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per
Protected-Mbps
NSS Labs Security Value Map (SVM) for Breach Detection Systems
44. Cisco and/or its affiliates. All rights reserved. Cisco Public
Sourcefire AMP Detection Systems
IPSPerformanceandScalability
Data CenterCampusBranch OfficeSOHO Internet Edge
FirePOWER 7100 Series
500 Mbps – 1 Gbps
FirePOWER 7120/7125/8120
1 Gbps - 2 Gbps
FirePOWER 8100/8200
2 Gbps - 10 Gbps
FirePOWER 8200 Series
10 Gbps – 40 Gbps
FirePOWER 7000 Series
50 Mbps – 250 Mbps
From 50Mbps to 60Gbps
Modularity in 8000 Series
Fixed Connectivity in 7000 Series
Mixed SFPs in 7100 Series
Configuration Fail-Open & Fail-Close across all
Scalable 8000 Series
Runs NGIPS, AMP and App Control in the same chassis
45. 45Sourcefire NGIPS & AMP Presentation
Choose external SSL
for high-bandwidth and
ability to inspect with
other solutions, e.g. DLP
SSL Decryption
Server
Client
Encrypted
Encrypted
FirePOWER
Decrypted
SSL
Appliance
SSLAppliance vs Integrated SSL
Use new built-in SSL inspection for
simplicity and cost-effectiveness
V5.4 onwards only