Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Next Generation Security
Rob Bleeker
Security Consulting Systems Engineer
CCIE# 2926, CISSP
Justin Malczewski
1234567890
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The Industrialization of Hacking
1990 202020...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
How Bad – 2013 and Beyond
145 Million
152 Mi...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Needs to be a Better Approach
Current approa...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
The New Security Model
BEFORE
Discover
Enfor...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cyber Attack Chain
Recon Package Deliver Exp...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
The better you can protect……….
The More You ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Visibility Control
0010 010 10010111001 10 1...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Collective Security Intelligence
IPS Rules
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11© 2013 Cisco and/or its affiliates. All righ...
Mission:
Founded in 2001 by Marty Roesch
Security from Cloud to Core
• Market leader in (NG)IPS
• Recent entrant to NGFW s...
13
Sourcefire Security Solutions
COLLECTIVE
SECURITY
INTELLIGENCE
Management Center
APPLIANCES | VIRTUAL
NEXT- GENERATION
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
FirePOWER Services for ASA: Components
ASA ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
2014 NSS Labs SVM for NFGW
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Functional Distribution
ACL
NAT
VPN Termina...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Next Generation Security on a Trusted Firew...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Why does this matter
• Application visibili...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
NGFW Realities – The Blocks of Building the...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
FirePOWER Services: Application Control
• C...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Application Control
Social:
Security and
DL...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
FirePOWER Services: URL Filtering
• Block n...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
FireSIGHT™ Full Stack Visibility
CATEGORIES...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Correlates all intrusion events to
an impac...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Cisco FireSIGHT Simplifies Operations
• Imp...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Reduced Cost and Complexity
• Multilayered
...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
The Power of Continuous Analysis
Point-in-t...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Indications of Compromise (IoCs)
IPS Events...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30© 2013 Cisco and/or its affiliates. All righ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Actual Disposition = Bad = Blocked
Antiviru...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
1) File Capture
FirePOWER Services: Advance...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Visibility and Context
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Visibility and Context
File Sent
File Recei...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
FirePOWER Services for ASA: Subscriptions
F...
High Availability and Clustering
Max 2 Units
Max 16 Units*
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Deploying ASA w/ FirePOWER Services
• Avail...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Multi-ContextASADeployments
• ASA can be co...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Multi-ContextASADeployments
Admin
Context
C...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
DeployingASAw/ FirePOWER Services
• Up to 8...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
WhyASAwith FirePOWER Services?
• World’s mo...
Q & A
Next Generation Security
Prochain SlideShare
Chargement dans…5
×

Next Generation Security

1 783 vues

Publié le

Next Generation Security presentation for Cisco Connect Canada Tour 2014.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Next Generation Security

  1. 1. Next Generation Security Rob Bleeker Security Consulting Systems Engineer CCIE# 2926, CISSP Justin Malczewski 1234567890
  2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 The Industrialization of Hacking 1990 202020152010200520001995 Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape Viruses 1990–2000 Worms 2000–2005 Spyware and Rootkits 2005–Today APTs Cyberware Today +
  3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 How Bad – 2013 and Beyond 145 Million 152 Million 70 Million 60 Million 50 Million 50 Million and a lot more!!!!!!
  4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Needs to be a Better Approach Current approach has never worked! Imagine – Security as an Architecture
  5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 The New Security Model BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Detect Block Defend DURING Point in Time Continuous
  6. 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Cyber Attack Chain Recon Package Deliver Exploit Install CnC Act BEFORE Discover Enforce Harden AFTER Scope Contain Remediate During Detect Block Prevent Visibility and Context Firewall NGFW NAC + Identity Services VPN UTM NGIPS Web Security Email Security Advanced Malware Protection Network Behavior Analysis
  7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 The better you can protect………. The More You See
  8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Visibility Control 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 1110100111 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 1110100111 CiscoSecurity Intelligence Operation (SIO) Cisco® SIO WWWEmail WebDevices IPS EndpointsNetworks More Than 150 Million DEPLOYED ENDPOINTS 100 TB DATA RECEIVED PER DAY 1.6 Million GLOBAL SENSORS 40% WORLDWIDE EMAIL TRAFFIC 13 Billion WEB REQUESTS Cloud AnyConnect®IPS ESA WSAASA WWW 3 to 5 MINUTE UPDATES More Than 200 PARAMETERS TRACKED More Than 5500 IPS SIGNATURES PRODUCED More Than 8 Million RULES PER DAY More Than 70 PUBLICATIONS PRODUCED Information Actions More Than 40 LANGUAGES More Than 80 PH.D, CCIE, CISSP, MSCE More Than $100 Million SPENT IN DYNAMIC RESEARCH AND DEVELOPMENT 24 Hours Daily OPERATIONS More Than 800 ENGINEERS, TECHNICIANS, AND RESEARCHERS
  9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Collective Security Intelligence IPS Rules Malware Protection Reputation Feeds Vulnerability Database Updates Sourcefire AEGIS™ Program Private and Public Threat Feeds Sandnets FireAMP™ Community Honeypots Advanced Microsoft and Industry Disclosures SPARK Program Snort and ClamAV Open Source Communities File Samples (>380,000 per Day) Sourcefire VRT® (Vulnerability Research Team) Sandboxing Machine Learning Big Data Infrastructure
  10. 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 ASA with FirePower Services
  11. 11. Mission: Founded in 2001 by Marty Roesch Security from Cloud to Core • Market leader in (NG)IPS • Recent entrant to NGFW space with strong offering • Groundbreaking Advanced Malware Protection solution Innovative – 52+ patents issued or pending • Pioneer in IPS, context-driven security, advanced malware World-class research capability Owner of major Open Source security projects • Snort, ClamAV, Razorback
  12. 12. 13 Sourcefire Security Solutions COLLECTIVE SECURITY INTELLIGENCE Management Center APPLIANCES | VIRTUAL NEXT- GENERATION FIREWALL NEXT- GENERATION INTRUSION PREVENTION ADVANCED MALWARE PROTECTION CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE APPLIANCES | VIRTUAL
  13. 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 FirePOWER Services for ASA: Components ASA 5585-X FirePOWER Services Blade • Models: ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X • SSD Drive Required • FirePOWER Services Software Module • Licenses and Subscriptions • Models: ASA 5585-X-10, ASA 5585-X- 20, ASA 5585-X-40, ASA 5585-X-60 • New FirePOWER Services Hardware Module Required • Licenses and Subscriptions
  14. 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 2014 NSS Labs SVM for NFGW
  15. 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Functional Distribution ACL NAT VPN Termination Routing Advanced Malware Protection AVC (App Control) NGIPS URL Filtering FirePOWER Services Module Base ASA
  16. 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Next Generation Security on a Trusted Firewall FirePOWER Services NGIPS, NGFW/AVC, AMP FireSIGHT Management Center Comprehensive SECOPS Workflows Cisco Security Manager (CSM) or ASDM Comprehensive NETOPS Workflows ASA Software
  17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Why does this matter • Application visibility efficacy is NOT a 100%.Today the best efficacy around App ID is about 65%. • If you are looking to strengthen your overall security posture then building policies with 65% efficacy is putting your organization at risk. This creates a hit and miss security model. • Application ID is non deterministic, applications are evasive, what happens with unknown applications. • Logging of unknown application should take place and silent drops are forbidden in security – you need to know what has happened even if the applications has not been identified Cisco Still Understands the Value of APP Visibility/Control • Application visibility and control and web filtering has been within Cisco’s portfolio for 5+ years. We have led this with our Cisco Ironport WSA and our CWS (Scansafe) solutions. (we have brought this quadrant leading product to our next generation ASA platform) • Built upon a strong traditional stateful firewall platform that has been proven within the industry. Cisco is solving the application ID efficacy with OpenAppID NGFW Realities OpenAppID
  18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 NGFW Realities – The Blocks of Building the Best NGFW DifficulttoBuildatBest GoodGreat Poor How – Cisco will be adding FireAMP for Malware and SourceFire NGIPS and further ISE integration. Very Difficult to build the best of breed for all elements that make a NGFW. Note: the great, good, and poor changes depending on the product referenced. NGFW Today Traditional FW VPNAPP URL IPS Malware Visibility and Integration ASA with Firepower Services Traditional FW VPNAPP URL IPS Malware Visibility and Integration
  19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 FirePOWER Services: Application Control • Control access for applications, users and devices • “Employees may view Facebook, but only Marketing may post to it” • “No one may use peer-to-peer file sharing apps” Over 3,000 apps, devices, and more!
  20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Application Control Social: Security and DLP Mobile: Enforce BYOD Policy Bandwidth: Recover Lost Bandwidth Security: Reduce Attack Surface
  21. 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 FirePOWER Services: URL Filtering • Block non-business-related sites by category • Based on user and user group
  22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 FireSIGHT™ Full Stack Visibility CATEGORIES EXAMPLES FirePOWER Services TYPICAL IPS TYPICAL NGFW Threats Attacks, Anomalies ✔ ✔ ✔ Users AD, LDAP, POP3 ✔ ✗ ✔ Web Applications Facebook Chat, Ebay ✔ ✗ ✔ Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔ File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔ Malware Conficker, Flame ✔ ✗ ✗ Command & Control Servers C&C Security Intelligence ✔ ✗ ✗ Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗ Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗ Operating Systems Windows, Linux ✔ ✗ ✗ Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗ Mobile Devices iPhone, Android, Jail ✔ ✗ ✗ Printers HP, Xerox, Canon ✔ ✗ ✗ VoIP Phones Cisco phones ✔ ✗ ✗ Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗ Contextual AwarenessInformation Superiority
  23. 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Correlates all intrusion events to an impact of the attack against the target ImpactAssessment IMPACT FLAG ADMINISTRATOR ACTION WHY Act Immediately, Vulnerable Event corresponds to vulnerability mapped to host Investigate, Potentially Vulnerable Relevant port open or protocol in use, but no vuln mapped Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use Good to Know, Unknown Target Monitored network, but unknown host Good to Know, Unknown Network Unmonitored network
  24. 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Cisco FireSIGHT Simplifies Operations • Impact Assessment and Recommended Rules Automate Routine Tasks
  25. 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Reduced Cost and Complexity • Multilayered protection in a single device • Highly scalable for branch, internet edge, and data centers • Automates security tasks oImpact assessment
  26. 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 The Power of Continuous Analysis Point-in-time security sees a lighter, bullet, cufflink, pen & cigarette case… Wouldn’t it be nice to know if you’re dealing with something more deadly?
  27. 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Indications of Compromise (IoCs) IPS Events Malware Backdoors CnC Connections Exploit Kits Admin Privilege Escalations Web App Attacks SI Events Connections to Known CnC IPs Malware Events Malware Detections Malware Executions Office/PDF/Java Compromises Dropper Infections
  28. 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Advanced Malware Protection (FireAMP)
  29. 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Actual Disposition = Bad = Blocked Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Retrospective Detection, Analysis Continues Initial Disposition = Clean Continuous Blind to scope of compromise Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Beyond the Event Horizon Addresses limitations of point-in-time detection
  30. 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 1) File Capture FirePOWER Services: Advanced Malware Malware Alert! 2) File Storage 4) Execution Report Available In Defense Center Network Traffic Collective Security Intelligence Sandbox 3) Send to Sandbox
  31. 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Visibility and Context
  32. 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Visibility and Context File Sent File Received File Executed File Moved File Quarantined
  33. 33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 FirePOWER Services for ASA: Subscriptions FirePOWER Services for ASA Included Appliance Features Configurable Fail Open Interfaces ✓ Connection/Flow Logging ✓ Network, User, and Application Discovery ✓ Traffic filtering / ACLs ✓ NSS Leading IPS Engine ✓ Comprehensive Threat Prevention ✓ Security Intelligence (C&C, Botnets, SPAM etc) ✓ Blocking of Files by Type, Protocol, and Direction ✓ Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓ Access Control: Enforcement by Application ✓ Access Control: Enforcement by User ✓ IPS and App Updates IPS Rule and Application Updates Annual Fee URL Filtering URL Filtering Subscription Annual Fee Malware Protection Subscription for Malware Blocking, Continuous File Analysis, Malware Network Trajectory Annual Fee
  34. 34. High Availability and Clustering Max 2 Units Max 16 Units*
  35. 35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Deploying ASA w/ FirePOWER Services • Available on all ASA platforms • State-sharing between Firewalls for high availability • L2 Transparent or L3 Routed deployment options • Failover Link • ASA provides valid, normalized flows to FirePOWER module • State sharing does not occur between FirePOWER Services Modules High Availability with ASA Failover
  36. 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Multi-ContextASADeployments • ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies • These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies. • In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside. • Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration. Context A Context B Outside Inside
  37. 37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Multi-ContextASADeployments Admin Context Context- 1
  38. 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 DeployingASAw/ FirePOWER Services • Up to 8 ASA5585-X IPS • Stateless load balancing by external switch • L2 Transparent or L3 Routed deployment options • Support for vPC, VSS and LACP • Cluster Control Protocol/Link • State-sharing between Firewalls for symmetry and high availability • Every session has a primary and secondary owner ASA • ASA provides traffic symmetry to FirePOWER module • Scaling IPS with ASA5585-X Clustering
  39. 39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 WhyASAwith FirePOWER Services? • World’s most widely deployed, enterprise-class ASA stateful firewall • Granular Application Visibility and Control (AVC) • Industry-leading FirePOWER Next-Generation IPS (NGIPS) • Validated by NSS Labs as the best NGFW on the market today • Advanced malware protection CISCO ASA Identity-Policy Control & VPN URL Filtering (subscription) FireSIGHT Analytics & Automation Advanced Malware Protection (subscription) Application Visibility &Control Network Firewall Routing | Switching Clustering & High Availability WWW Cisco Collective Security Intelligence Enabled Built-in Network Profiling Intrusion Prevention (subscription)
  40. 40. Q & A

×