Next Generation Security

Next Generation Security

Rob Bleeker

Security Consulting Systems Engineer

CCIE# 2926, CISSP

Justin Malczewski

1234567890

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

The Industrialization of Hacking

1990 2020 2015 2010 2005 2000 1995

Phishing, Low

Sophistication

Hacking Becomes

an Industry

Sophisticated

Attacks, Complex

Landscape

Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +


How Bad – 2013 and Beyond

145 Million 152 Million

70 Million

60 Million

50 Million

50 Million and a lot more!!!!!!


Needs to be a Better Approach

Current approach has never worked!

Imagine – Security as an Architecture


The New Security Model

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous


Cyber Attack Chain

Recon Package Deliver Exploit Install CnC Act

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

During Detect

Block

Prevent

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis


The better you can protect……….

The More You See


Visibility Control

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 101000 0110 00 0111000 111010011 101 1100001

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 101000 0110 00 0111000 111010011 101 1100001 11000

CiscoSecurity Intelligence Operation (SIO)

Cisco® SIO

WWW Email Web Devices

IPS Endpoints Networks

More Than 150 Million DEPLOYED ENDPOINTS

100 TB DATA RECEIVED PER DAY

1.6 Million GLOBAL SENSORS

40% WORLDWIDE EMAIL TRAFFIC

13 Billion WEB REQUESTS

Cloud AnyConnect® IPS

ESA WSA ASA WWW

3 to 5 MINUTE UPDATES

More Than 200 PARAMETERS TRACKED

More Than 5500 IPS SIGNATURES PRODUCED

More Than 8 Million RULES PER DAY

More Than 70 PUBLICATIONS PRODUCED

Information

Actions

More Than 40 LANGUAGES

More Than 80 PH.D, CCIE, CISSP, MSCE

More Than $100

Million SPENT IN DYNAMIC RESEARCH

AND DEVELOPMENT

24 Hours Daily OPERATIONS

More Than 800 ENGINEERS, TECHNICIANS,

AND RESEARCHERS


Collective Security Intelligence

IPS Rules

Malware Protection

Reputation Feeds

Vulnerability Database Updates

Sourcefire AEGIS™ Program

Private and Public

Threat Feeds Sandnets

FireAMP™ Community

Honeypots

Advanced Microsoft

and Industry Disclosures

SPARK Program Snort and ClamAV

Open Source Communities

File Samples (>380,000 per Day)

Sourcefire VRT®

(Vulnerability Research Team)

Sandboxing Machine Learning

Big Data Infrastructure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

ASA with FirePower Services

Mission:

Founded in 2001 by Marty Roesch

Security from Cloud to Core

• Market leader in (NG)IPS

• Recent entrant to NGFW space with strong offering

• Groundbreaking Advanced Malware Protection solution

Innovative – 52+ patents issued or pending

• Pioneer in IPS, context-driven security, advanced malware

World-class research capability

Owner of major Open Source security projects

• Snort, ClamAV, Razorback

13

Sourcefire Security Solutions

COLLECTIVE

SECURITY

INTELLIGENCE

Management Center APPLIANCES | VIRTUAL

NEXT- GENERATION

FIREWALL

NEXT- GENERATION

INTRUSION

PREVENTION

ADVANCED

MALWARE

PROTECTION

CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE

APPLIANCES | VIRTUAL


FirePOWER Services for ASA: Components

ASA 5585-X

FirePOWER Services Blade

• Models: ASA 5512-X, 5515-X, 5525-X,

5545-X, and 5555-X

• SSD Drive Required

• FirePOWER Services Software Module

• Licenses and Subscriptions

• Models: ASA 5585-X-10, ASA 5585-X-

20, ASA 5585-X-40, ASA 5585-X-60

• New FirePOWER Services Hardware

Module Required

• Licenses and Subscriptions


2014 NSS Labs SVM for NFGW


Functional Distribution

ACL

NAT

VPN Termination

Routing

Advanced Malware Protection

AVC (App Control)

NGIPS

URL Filtering

FirePOWER Services

Module

Base ASA


Next Generation Security on a Trusted Firewall

FirePOWER Services

NGIPS, NGFW/AVC, AMP

FireSIGHT Management Center

Comprehensive SECOPS Workflows

Cisco Security Manager (CSM) or ASDM

Comprehensive NETOPS Workflows

ASA Software


Why does this matter • Application visibility efficacy is NOT a 100%.Today the best efficacy around App ID is about 65%.

• If you are looking to strengthen your overall security posture then building policies with 65%

efficacy is putting your organization at risk. This creates a hit and miss security model.

• Application ID is non deterministic, applications are evasive, what happens with unknown

applications.

• Logging of unknown application should take place and silent drops are forbidden in security –

you need to know what has happened even if the applications has not been identified

Cisco Still Understands the Value of APP Visibility/Control • Application visibility and control and web filtering has been within Cisco’s portfolio for 5+ years.

We have led this with our Cisco Ironport WSA and our CWS (Scansafe) solutions. (we have

brought this quadrant leading product to our next generation ASA platform)

• Built upon a strong traditional stateful firewall platform that has been proven within the industry.

Cisco is solving the application ID efficacy with OpenAppID

NGFW RealitiesOpenAppID


NGFW Realities – The Blocks of Building the Best NGFW Difficult to Build at Best

Good Great Poor

How – Cisco will be adding

FireAMP for Malware and

SourceFire NGIPS and further

ISE integration.

Very Difficult to build the best of

breed for all elements that make

a NGFW. Note: the great, good,

and poor changes depending on

the product referenced.

NGFW Today

Traditional FW

VPN APP URL IPS

Malware

Visibility and Integration

ASA with

Firepower Services

Traditional FW

VPN APP URL IPS

Malware

Visibility and Integration


FirePOWER Services: Application Control

• Control access for applications, users and devices

• “Employees may view Facebook, but only Marketing may post to it”

• “No one may use peer-to-peer file sharing apps”

Over 3,000

apps, devices,

and more!


Application Control

Social:

Security and

DLP

Mobile:

Enforce

BYOD Policy Bandwidth:

Recover

Lost

Bandwidth

Security:

Reduce

Attack

Surface


FirePOWER Services: URL Filtering

• Block non-business-related sites by category

• Based on user and user group


FireSIGHT™ Full Stack Visibility

CATEGORIES

EXAMPLES

FirePOWER Services TYPICAL

IPS

TYPICAL

NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔

Malware Conficker, Flame ✔ ✗ ✗

Command & Control Servers C&C Security Intelligence ✔ ✗ ✗

Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗

Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Windows, Linux ✔ ✗ ✗

Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗

Mobile Devices iPhone, Android, Jail ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Cisco phones ✔ ✗ ✗

Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗

Contextual

Awareness Information Superiority


Correlates all intrusion events to an impact of the attack against the target

Impact Assessment IMPACT

FLAG

ADMINISTRATOR

ACTION

WHY

Act Immediately,

Vulnerable

Event corresponds to

vulnerability mapped

to host

Investigate,

Potentially

Vulnerable

Relevant port open or

protocol in use, but

no vuln mapped

Good to Know,

Currently Not

Vulnerable

Relevant port not

open or protocol not

in use

Good to Know,

Unknown Target

Monitored network,

but unknown host

Good to Know,

Unknown Network

Unmonitored network


Cisco FireSIGHT Simplifies Operations

• Impact Assessment and Recommended Rules Automate Routine Tasks


Reduced Cost and Complexity

• Multilayered protection in a single device

• Highly scalable for branch, internet edge, and data centers

• Automates security tasks

oImpact assessment

oPolicy tuning

oUser identification

• Integrate transparently with third-party security solutions through eStreamer API


The Power of Continuous Analysis

Point-in-time security sees a

lighter, bullet, cufflink, pen &

cigarette case…

Wouldn’t it be nice to know if

you’re dealing with something

more deadly?


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

CnC Connections

Exploit Kits Admin Privilege

Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections

Malware Executions

Office/PDF/Java Compromises

Dropper Infections

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Advanced Malware Protection (FireAMP)


Actual Disposition = Bad = Blocked

Antivirus

Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Retrospective Detection, Analysis Continues

Initial Disposition = Clean

Continuous

Blind to scope of compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Too Late!!

Turns back time Visibility and Control are Key

Not 100%

Analysis Stops

Beyond the Event Horizon Addresses limitations of point-in-time detection


1) File Capture

FirePOWER Services: Advanced Malware

Malware Alert!

2) File Storage

4) Execution Report

Available In Defense Center

Network Traffic

Collective Security

Intelligence Sandbox

3) Send to Sandbox





File Sent

File Received

File Executed

File Moved

File Quarantined


FirePOWER Services for ASA: Subscriptions

FirePOWER Services for ASA Included

Appliance

Features

Configurable Fail Open Interfaces ✓

Connection/Flow Logging ✓

Network, User, and Application Discovery ✓

Traffic filtering / ACLs ✓

NSS Leading IPS Engine ✓

Comprehensive Threat Prevention ✓

Security Intelligence (C&C, Botnets, SPAM etc) ✓

Blocking of Files by Type, Protocol, and Direction ✓

Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓

Access Control: Enforcement by Application ✓

Access Control: Enforcement by User ✓

IPS and App

Updates IPS Rule and Application Updates Annual Fee

URL Filtering URL Filtering Subscription Annual Fee

Malware

Protection

Subscription for Malware Blocking, Continuous File Analysis,

Malware Network Trajectory Annual Fee

High Availability and Clustering

Max 2 Units

Max 16 Units*


Deploying ASA w/ FirePOWER Services

• Available on all ASA platforms

• State-sharing between Firewalls for high availability

• L2 Transparent or L3 Routed deployment options

• Failover Link

• ASA provides valid, normalized flows to FirePOWER module

• State sharing does not occur between FirePOWER Services Modules

High Availability with ASA Failover


Multi-Context ASA Deployments

• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies

• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.

• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.

• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.

Context A Context B

Outside

Inside


Multi-Context ASA Deployments

Admin

Context Context-

1


Deploying ASA w/ FirePOWER Services

• Up to 8 ASA5585-X IPS

• Stateless load balancing by external switch

• L2 Transparent or L3 Routed deployment options

• Support for vPC, VSS and LACP

• Cluster Control Protocol/Link

• State-sharing between Firewalls for symmetry and high availability

• Every session has a primary and secondary owner ASA

• ASA provides traffic symmetry to FirePOWER module

• Scaling IPS with ASA5585-X Clustering


Why ASA with FirePOWER Services? • World’s most widely deployed, enterprise-class ASA stateful firewall

• Granular Application Visibility and Control (AVC)

• Industry-leading FirePOWER Next-Generation IPS (NGIPS)

• Validated by NSS Labs as the best NGFW on the market today

• Advanced malware protection

CISCO ASA

Identity-Policy

Control & VPN

URL Filtering (subscription)

FireSIGHT

Analytics &

Automation

Advanced

Malware

Protection (subscription)

Application

Visibility &Control Network Firewall

Routing | Switching

Clustering &

High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network

Profiling

Intrusion

Prevention (subscription)

Q & A

Technology

Next Generation Security