View
767
Download
2
Tags:
Embed Size (px)
Citation preview
Next Generation Security
Fuat KILIÇ
Consulting Systems Engineer - Security
Ali Fuat TÜRKAY
Product Sales Specialist - Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Cisco and/or its affiliates. All rights reserved. Cisco Public
All were smart. All had security. All were seriously compromised.
Today’s Real World: Threats are evolving and evading traditional defense
Cisco and/or its affiliates. All rights reserved. Cisco Public
What would you do if you knew you would be compromised?!
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
Network Endpoint Mobile Virtual Email & Web
Continuous Point-in-time
Attack Continuum
Cloud
Cisco and/or its affiliates. All rights reserved. Cisco Public
The Silver Bullet Does Not Exist…
“Captive Portal”
“It matches the pattern”
“No false positives, no false negatives.”
Application Control
FW/VPN
IDS / IPS UTM
NAC
AV PKI
“Block or Allow”
“Fix the Firewall”
“No key, no access”
Sandboxing “Detect the Unknown”
Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer Value Proposition
Cisco Security Solutions
Unmatched Visibility
Advanced Threat Protection
Consistent Control
Flexibility & Choice
Cisco’s Strategy Integrated Platform for Defense, Discovery and Remediation
Firewall Content Gateways Integrated Platform Virtual Cloud
Device
Data Center
Network Access Control
Firewall
Content Aware Applications
Context Aware Identity, Data,
Location
Threat Aware Malware, APT
Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Defines Next-Generation IPS
8
NGIPS Definition
• Standard First-Gen IPS • Context Awareness • Application Awareness
and full-stack visibility • Content Awareness • Adaptive Engine
Download at Sourcefire.com
*Source: “Defining Next-Generation Network Intrusion Prevention” Gartner, October 7, 2011
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
FirePOWER Platform
http:// http:// WWW WWW
WWW WWW
FireSIGHT Management Center
FireSIGHT Management Center • Context Awareness
• Operating System Identification • Fingerprint Applications (Web, Protocol & Client Versions) • Service Enumeration (HTTP, SMPT, RDP…etc) • Users Awareness • 24x7 Monitoring (Passive & Inline)
• Identify Assets Potential Vulnerabilities (Weakness) • Leveraging Visibility/vulnerabilities to “Adapt” • Access Control Rules Enforcement • Alerting, Correlation & Packets Capture FirePOWER Platform/Services • Inspect, Detect, Drop, Allow…etc • IPS, Application Control, Malware Inspection & URL
Rating • Inline, Passive & Hybrid
Context Awareness in Intrusion Events
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT – Unique Visibility
Typical NGFW
Cisco FireSIGHT System
Typical IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Host Profile
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have,
when?
§ Converting Data into Information
Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
Impact Flag Administrator Action Why
1 Act immediately, vulnerable
Event corresponds to vulnerability mapped to host
2 Investigate, potentially vulnerable
Relevant port open or protocol in use, but no vuln mapped
3 Good to know, currently not vulnerable
Relevant port not open or protocol not in use
4 Good to know, unknown target
Monitored network, but unknown host
0 Good to know, unknown network Unmonitored network
Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors Exploit Kits
Web App Attacks CnC Connections
Admin Privilege Escalations
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections Office/PDF/Java Compromises
Malware Executions Dropper Infections
Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner Leadership
Sourcefire has been a leader in
the Gartner Magic Quadrant for IPS
since 2006.
As of December 2013 Source: Gartner (December 2013)
Radware
StoneSoft (McAfee)
IBM Cisco HP
McAfee
Sourcefire (Cisco)
Huawei Enterasys Networks (Extreme Networks)
NSFOCUS Information Technology
challengers
abili
ty to
ex
ecut
e
leaders
visionaries niche players vision
Cisco and/or its affiliates. All rights reserved. Cisco Public
2012 NSS Labs SVM for IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
2013 NSS Labs SVM for IPS
Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services Available Now!!
Industry’s First Threat-Focused NGFW
#1 Cisco Security announcement of the year!
• Integrating defense layers helps organizations get the best visibility
• Enable dynamic controls to automatically adapt
• Protect against advanced threats across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs – Next-Generation Firewall Security Value Map
Source: NSS Labs 2014
The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment.
Cisco and/or its affiliates. All rights reserved. Cisco Public
Secu
rity
Effe
ctiv
enes
s
TCO per Protected-Mbps
The Results Cisco AMP is a Leader in Security Effectiveness and TCO and offers Best Protection Value
Cisco Advanced Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per Protected-Mbps
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Security Effectiveness
Overall Product Ratings
Cisco-Sourcefire AMP Results – For Detection Capability Only
Fire and ISE
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
EPS REST API
Threat Detection • IDS Sig • Malware • Traffic • Application • And Many More..
Automagical, Dynamic, Squirrely Threat/Malware/Attack Response/Defense
Quarantine Action • VLAN Assignment • dACLs • SGT • QoS TAG
ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Network as a Sensor
© 2014 Lancope, Inc. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 © 2014 Lancope, Inc. All rights reserved.
Flow – The Network Phone Bill
Flow Cache Destination IP
Origin IP
Destination Port
Origin Port
L3 Protocol
DSCP
Flow Info Packet Bytes/Packet
Origin IP , Port, Proto...
11000 1528
… … … … … …
Monthly Statement Bill At-A-Glance
Flow Record
Telephone Bill
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Internet
Atlanta
San Jose
New York
Remote Sites
WAN
Firewall & IPS
Datacenter
DMZ
User Network
3G Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Internet
Atlanta
San Jose
New York
NetFlow
Remote Sites
NetFlow
NetFlow
WAN NetFlow
Firewall
Datacenter NetFlow
NetFlow NetFlow
DMZ
NetFlow
NetFlow
User Network
3G Internet
NetFlow
NetFlow
NetFlow
NetFlow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 © 2014 Lancope, Inc. All rights reserved.
How CTD Analyzes Devices
31
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Cisco Bulut ve mobilite gibi günlük hayatımızı oldukça değiştiren trendlern ışığında, gereken güvenlik uzmanlığı ve eğitimi alanında aşağıdaki yenilikleri, uzmanların, mühendislerin ve operasyon ekiplerinin eğitimi için yayınlamıştır:
• Yenilenen CCNP Güvenlik sertifikasyon programı • Yeni Cisco Sibergüvenlik Uzmanlığı • Daha önceki Cisco Güvenlik Uzmanlığı sertifikasyonunun sonlanması • Yeni ve güncellenmiş ürün eğitimleri
• Yeniden dizayn edilen CCNP Security sertifikasyonu, bugün çok daha geniş bir bkış açısıyla, uçtan uça mimari kurmaları gereken güvenlik uzmanlarını hedeflemektedir:
• 300-206 Implementing Cisco Edge Network Security Solutions (SENSS) • 300-207 Implementing Cisco Threat Control Solutions (SITCS) • 300-208 Implementing Cisco Secure Access Solutions (SISAS) • 300-209 Implementing Cisco Secure Mobility Solutions (SIMOS)