Preview delle ultime novità di prodotto Sourcefire IPS Entriamo in dettaglio delle novità di prodotto annunciate da Sourcefire nell\’ultimo mese, incluso:
New 3D8000 Series Sensors with FirePOWER
New Defense Center Models
New IPSx Solution
4. Let’s Solve Problems What are your challenges? How are they being addressed today? What’s your ideal solution? What is your timeframe?
5. Today’s Reality “Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure.” Neil MacDonald VP & Gartner Fellow Source: Gartner, Inc., “The Future of Information Security is Context Aware and Adaptive,” May 14, 2010 Dynamic Threats Organized attackers Sophisticated threats Multiple attack vectors Static Defenses Ineffective defenses Black box limits flexibility Set-and-forget doesn’t work
8. Sourcefire Worldwide Locations Education &Professional ServicesLivonia, MI EMEA HQWokingham, UK Japan SalesTokyo, Japan Central Europe SalesFrankfurt, Germany Worldwide HQColumbia, MD Americas Sales Vienna, VA Southern Europe SalesParis, France Asia Pacific HQSingapore South American Sales Sao Paulo, Brazil ANZ SalesSydney, Australia
10. About Sourcefire To be the leading provider of intelligent cybersecurity solutions for the enterprise. Mission: Founded in 2001 by Snort Creator, Martin Roesch, CTO Headquarters: Columbia, MD Focus on enterprise and government customers Global Security Alliance ecosystem NASDAQ: FIRE
17. Gartner 2010 IPS Magic Quadrant FACT: Sourcefire has been a leader in Gartner’s IPS Magic Quadrant since 2006. The Magic Quadrant is copyrighted 6 December 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
20. ✔ Virtual IPS offerings[completeness of vision] Broader product portfolio
21. NSS Labs Group IPS TestBlock Rate Comparison Source: Graphic used with permission by NSS Labs. “Network Intrusion Prevention Systems Comparative Test Results,” December 2009.
22. NSS Labs Group IPS TestResistance to Evasion Juniper missed 60% of evasions TippingPoint missed 80% of evasions Cisco missed 100% of evasions Source: Graphic used with permission by NSS Labs. “Network Intrusion Prevention Systems Comparative Test Results,” December 2009.
23. About the Test Published December 2010 11 vendors evaluated 1,179 live exploits 75 anti-evasion test cases No cost to vendors to participate Sourcefire Test Results Recommend rating Best overall detection Best vulnerability coverage Best vendor-stated vs. actual performance No evasions Second-Annual NSS Labs IPS Group Test
24. Best Overall DetectionSecond Straight Year! 98% 97% 95% 94% 93% 91% 85% 83% 79% 63% 43% Graphic by Sourcefire, Inc. Source data from NSS Labs “Network IPS 2010 Comparative Test Results.”
26. Best Vendor-Stated vs. Actual PerformanceSecond Straight Year! Sourcefire’s 2G IPS achieved 3.2G for 161% of vendor-stated performance 100% Performance Baseline Most IPS products achieved well below vendor-stated performance claims Graphic by Sourcefire, Inc. Computations derived from NSS Labs “Network IPS 2010 Comparative Test Results.”
36. 3D8000 Series Product Line All 3D8000 Series chassis support lights out management, solid state drives, redundant power, and an LCD interface.
37. Modular Choose number and type of ports Lower Entry Prices Expandable Add ports as needed Scalable Add processing power as needed Hardware Platform Sets New Standard for Security Appliances
44. Traditional IPS vs. Next-Generation IPS Traditional IPS Next-Generation IPS Closed& Blind Open & Customizable Architecture None orLimited Visibility & Intelligence Awareness Human Intensive Self Tuning &Precision Automation
45. Next-Gen IPS – Open Architecture Powerful Engine & Rules Adaptable Custom fit to network Comprehensive coverage Open Community Information sharing Shared protection Protection Against Advanced Persistent Threats (APT)
46. Next-Gen IPS – The Power of Awareness Network Know what’s there, what’s vulnerable, and what’s under attack Application Identify change and enforce policy on hundreds of applications Behavior Detect anomalies in configuration, connections and data flow Identity Know who is doing what, with what, and where
53. Intelligent Correlation to the Target BlockedEventLogged 3D SENSOR Attack Is Correlated to Targets DEFENSE CENTER 3D SENSOR LINUXSERVER Linux server not vulnerable WINDOWSSERVER AttackBlocked Windows server vulnerable 3D SENSOR 3D SENSOR Latest Windows attack targets Microsoft Windows Server and Linux Server. Attacks are correlated to targets. High-priority event generated for Windows Server target.
54. Abnormal Behavior Logged &Alerts Triggered 3D SENSOR DEFENSE CENTER 3D SENSOR ITRemediatesHosts 3D SENSOR 3D SENSOR HostsCompromised Abnormal Behavior Detected New rogue host connects internally. Sourcefire detects new host and abnormal server behavior. Defense Center triggers alerts for IT to remediate. New Asset Detected Intelligent Anomaly Detection
55. Compliance Event Logged & User Identified 3D SENSOR DEFENSE CENTER 3D SENSOR IT & HRContact User 3D SENSOR 3D SENSOR P2P App TriggersWhitelist Violation Intelligent Application Violation Security team uses compliance whitelists to detect IT policy violations. Host detected using Skype. User identified and then contacted by IT and HR.
59. Virtual Appliances for VMware & Xen Sourcefire Virtual 3D Sensor™ Identical IPS Sensor functionality Available throughputs: 5, 45, 100, 250 & 500 Mbps Sourcefire Virtual Defense Center Management Console Identical Defense Center functionality, except no Master Defense Center (MDC) mode Manages both physical and virtual IPS 3D Sensors
60. Sourcefire’s “Secret Sauce” Passive network intelligence Fuels powerful IPS automation: Impact Flags Automated IPS Tuning Compliance Rules & White Lists Network Behavior Analysis Detects hundreds of operating systems and applications What is RNA?
61. Real-Time User Awareness (RUA) “Mapping a username to an IP address was taking us away from a backlog of other important tasks. What used to take up to an hour now takes just a second or two.” Tamara Fisher, AutoTrader.com RUA gives “personality” to security and compliance events! Clicking on a username reveals full name, telephone number, email, and department Resolve security events more quickly when time is of the essence Integrated into all Sourcefire 3D Sensors
62. Sample Sourcefire Detection Hundreds of Apps, OS’s & Devices! Operating Systems Applications Network Infrastructure Consumer
65. 3D System 4.10 Highlights Expanded Application & User Awareness Detect Facebook, Blackberry, Hotmail & more Nmap update detects 2,500+ operating systems Encrypted RUA communications Enhanced Deployment & Operation Inline IPS test mode Support for auth. SMTP gateways & web proxies Improved Third-Party Integration Direct database access for third-party reporting Support for SNMP polling Support for new Crossbeam products Improved Performance & Usability Improved GUI performance Track reviewed events by user Simpler installation of customer SSL certificates Refer to “What’s New in 3D System 4.10” document for more information
71. Knowledge transfer and best practices“I can’t say enough about the guys from Support. The phone gets picked up the moment I call. They stick with an issue diligently and make sure I get what I need. No other company has given me that level of service.” Robert Wagner Senior Security Architect
72. Why Sourcefire? Powered by Snort Driven by Awareness Best-in-Class Detection Open Architecture Highly Automated Stop Doing Things the “Old Way!”Try the “Next Generation” in Intrusion Detection & Prevention.
Tailor your agenda for the meeting.This is the structure of the presentation.
Let’s discuss the challenges you are facing.
Start the conversation focusing on the prospect. What is the purpose of the meeting? If there are new people in the room this is a great time to white board all the issues from everyone and clearly identify future talking points in the presentation.
The network security model is broken!The attackers are well financed, motivated, and sophisticated in their methods of breaking into networks.How do you defend a network that is in a constant state of flux?Your set-and-forget IPS is not going to stop the attackers.We need to come up with a different solution to effectively protect our information…
According to Gartner’s lead IPS analyst, Greg Young….Detection is the most important feature of an IPS system.Sourcefire maintains a leadership position in providing the best detection through our Vulnerability Research Team (VRT).We have access to exploit and threat data from:The Snort ecosystem – Engineers submitting PCAPs and rules to VRTThe ClamAV project – where we receive over 20,000 malware samples per dayMicrosoft’s MAPP program – early disclosure of vulnerabilitiesand numerous private threat feedsOur VRT team reverse engineers exploits, analyzes vulnerability data, and creates rapid IPS rules to help you properly defend your dynamic network.
Three models being launched – 10, 20, 40 gigabits of throughput Third party validation by NSS over the past couple of weeks Real-world performance numbers magnitude higher than competition (can use example of other competitors claiming 15G and only testing 1.9G Design of the platform is stackable, giving us capability to support 80G of throughput with over 50G of real-world inspection Stacking is supported 1U to 1U and 2U to 2U Software updates expected later in 2011 will allow stacking of up to four 2U chassis for 80 Gbps / 56 Gbps NSS tested. These performance numbers for the 8U stacked configuration have been verified, although the software does not yet officially support that configuration.
Recap of the new models being offered starting first week of May Reduction of slots on 8260 is due to stacking with additional 2U chassis All support Lights out management (serial console over Ethernet), solid state drives, hot-swappable redundant power for reliability and LCD for ease of deployment
Need to discuss types of network modules supported, including 40G later in 2011
We mentioned that the security model was broken. We need new, innovative ways to defend our information that resides on our networks!Let’s explore the new approach.
Let me introduce you to the key capabilities required in the Next-Generation IPS solution.In doing so, we’ll compare the NGIPS to traditional IPS systems that you can acquire today.ArchitectureMost traditional IPS systems are a black box, with static rules/signatures.The architectures are closed, and the ability to precisely tailor the detection is often limited.One size fits all is not a workable architecture given today's advanced threats.The Next-Gen IPS should have an open architecture – how the product performs is exposed to the user and the ability to customize the detection and prevention to fit your needs is never compromised by a “black box” architecture.AwarenessTraditional IPSes are comprised of detection engines with a given set of rules….will do simple pattern matching to detect intrusions. Their intelligence is extremely limited.A Next-Generation IPS must be smart. Not only should the IPS detect a variety of attack methods, but it should also correlate attacks to the targets on your network to ensure precise detection, while minimizing false alarms or blocking good traffic.AutomationTraditional IPSes require a significant number of resources to “tune” the IPS to your network and to analyze the volume of alerts generated by the system. Lack of precision has become so problematic that most customers give up and use the vendor’s default rules and hope the system will stop the attacks. While the vendors can’t possibly enable rules that work out of the box in a comprehensive way to provide appropriate protection.The Next-Generation IPS is smart enough to automatically configure itself based on the knowledge of what is running on the network. As your network configuration changes, it adapts the rules to precisely protect your network….no more guess work, no more extra effort.The intelligence also reduces false alarms by over 90%.With a Next-Generation IPS you can effectively defend your network while maintaining operational costs from spiraling out of control, and/or sacrificing security.
The Next-Generation IPS is contextually aware and adaptive.In Sourcefire’s system, we infuse the IPS system with deep intelligence about the users, their usage, behavior, and data:The system then automatically customizes the detection and makes prevention recommendations based on what’s running on your network.The system monitors the applications running on your system, so that you can flexibly enforce the appropriate detection and compliance.The system enables you to detect compromise of your key systems and assets by constantly monitoring change of behavior and configuration.And finally, give you the ability to associate all detection to a specific user name and contact info. Sourcefire brings you a super-intelligent IPS system that is fully integrated and always on 24/7.
The results of leveraging a Next-Generation IPS are:Precision – correlating attacks to the targeted network device has given our customers over 90% alarm reduction.Self-configuring detection. The Next-Gen IPS system automatically configures the detection to specifically what's running on your network. As your network changes…so does your detection.The system allows you to prevent intrusions without an army of engineers and gives you the confidence to know that an intelligent system is helping you defend your network.
Let’s look at the system in action.
This scenario shows us an external Microsoft attack targeting multiple systems.The system correlates the attack to the target and blocks the attack from impacting the Windows server (or potentially vulnerable system).
The following scenario shows:A new device shows up on the LAN and is detected.The device attacks internal servers, and the system detects change in behavior on the compromised systems.The system alerts the change and directs the IT team to remediate the server and clients affected by the attack.
In this last scenario we illustrate application violation.A user starts using SKYPE, and the system detects the unauthorized application usage.Alerts are logged and escalated to IT and HR to remediate the offending use of SKYPE.Sourcefire’s Next-Generation IPS provides a rich set of prevention functionality in a fully integrated system.
Let’s look at the products that make up our Next-Generation IPS.
The first component of the solution is our IPS sensors that are delivered as appliances ranging from 5Mbps to 20Gbps.Our awareness technologies are delivered as software. You can load them on our appliances or on your preferred device.Our system can also be deployed on a virtualized platform, running VMware or XEN.We offer a separate SSL inspection appliance to perform IDS/IPS on encrypted traffic.And finally we have our Defense Center (DC) that provides:Command and Control of our sensors in your networkEvent management and correlationThe DC can be set up in a HA mode and layered into a Master DC for enterprise scale.All DCs have built-in data management functions to manage 100s of millions of events.
Our philosophy is to have an open architecture and open ecosystem.Our Next-Generation IPS is designed with open APIs to interact with all of the best-of-breed technologies that you have already deployed in the multiple areas.Openness provides you with realistic, deployment flexibility.
Sourcefire has been leading the IDS/IPS market in innovation….Starting with the industry’s de-facto standard engine – SNORTThe most powerful, flexible detectionAn intelligence-driven system that provides robust security while controlling costs associated with the deployment.If you’re serious about defending against today’s sophisticated attacks, a Next-Generation IPS is a must.Thank you for your time…..are there any questions?