Post on 11-Sep-2015
description
transcript
Bucharest, 23 September 2014
ASA with FirePower
Solution Overview
believe in more
Summary
Why Security Why Cisco
ASA with FirePOWER
AMP
Roadmap
Why Security Why Cisco?
90% of organizations not fully aware of
the devices accessing their network
BYOD
90% of organizations not fully aware
of the devices accessing their network
CORPORATE OWNED
REAL-TIME SOCIAL MEDIA
14% of organizations had malware enter the corporate network through social media/web
apps
CLOUD
DATA CENTER
5-10 times more cloud services
being used than are known by IT
APP STORES
ENTERPRISE APPS 92%
of top 500 Android apps carry security/privacy risks
Impact of a Breach
START
Breach
occurs
HOURS
data in breaches is stolen in
MONTHS
of breaches remain undiscovered for
YEARS
Information of up to
individuals on the black market over last three
Announcing September 16
Industrys First Threat-Focused NGFW
#1 Cisco Security announcement of the year!
Proven Cisco ASA firewalling Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
Integrating defense layers helps organizations get the best visibility
Enable dynamic controls to automatically adapt
Protect against advanced threats across the entire attack continuum
The Problem with Legacy Next-Generation Firewalls
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101
1110011 0110011 101000 0110 00
01000 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1100001110001110
1001 1101 1110011 0110011 101000 0110 00
Focus on the Apps But miss the threat
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
01000 01000111 0100 1110101001 1101 111 0011 0
100 0111100 011 1010011101 1
01000 01000111 0100 111001 1001 11 111 0
Cisco ASA with FirePOWER Services
Cisco ASA firewalling combined with Sourcefire next-
generation IPS
Integrated threat defense over the entire attack continuum
Best-in-class security intelligence, application visibility and control
(AVC), and URL filtering
Features
Superior, multilayered threat protection
Unprecedented network visibility
Advanced malware protection
Reduced cost and complexity
Benefits
Superior Integrated & Multilayered Protection
Worlds most widely deployed,
enterprise-class ASA stateful
firewall
Granular Cisco Application
Visibility and Control (AVC)
Industry-leading FirePOWER
next-generation IPS (NGIPS)
Reputation- and category-based
URL filtering
Advanced malware protection
Cisco ASA
Identity-Policy
Control & VPN
URL Filtering (Subscription) FireSIGHT
Analytics &
Automation
Advanced
Malware
Protection (Subscription)
Application
Visibility &
Control
Network
Firewall
Routing |
Switching
Clustering &
High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in
Network
Profiling
Intrusion
Prevention (Subscription)
FirePOWER Delivers Best Threat Effectiveness
Security Value Map for
Intrusion Prevention System (IPS)
Security Value Map for
Breach Detection
Unprecedented Network Visibility
FirePOWER Services Typical IPS Typical NGFW
Threats
Users
Web Applications
Application Protocols
File Transfers
Malware
Command & Control Servers
Client Applications
Network Servers
Operating Systems
Routers & Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Reduced Cost and Complexity
Multilayered
protection in a single
device
Highly scalable
Automates security
tasks
- Impact assessment
- Policy tuning
- User identification
Integrates with third-
party securitysolutions
Annual Costs of IPS Maintenance
Impact Assessment of IPS Events
IPS Tuning Linking IPS Events to Users
$144.000
$72.000
$59.400
$24.300 $18.000
$3.000
Typical IPS Next-Generation IPS
Ciscos FirePOWER Next-Generation IPS collectively saves this customer $230,100 per year.
AMP Provides Continuous Retrospective Security
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
Continuous Feed
Continuous Analysis
Telemetry
Stream
Web
WWW
Endpoints Network Email
Devices
IPS
File Fingerprint and Metadata
File and Network I/O
Process Information
Breadth of
Control Points
Integrated Threat Defense at Work
Cisco detects, analyzes and protects against known and emerging threats
Threat intelligence led to identifying and stopping the extensive String of Pearls malware campaign
Key Techniques: Leveraged data sources across Email, Web, and
Advanced Malware Protection products
Used Big Data analytics to link disparate events and malware activity
Endpoint behavior
Malware deconstruction
Result:
Multiple Indications of Compromise (IoCs) identified the malware infection
ASA with FirePOWER Services vs. Typical NGFW
Feature Cisco ASA with
FirePOWER Services Typical NGFW
NSS NGFW Security Value Map, Gartner IPS MQ Superior Partial or Not
Available
Reputation-Based Proactive Protection Superior Not Available
Intelligent Security Automation Superior Not Available
File Reputation, File Trajectory, Retrospective
Analysis Superior Not Available
Application Visibility and Control Superior Available
Acceptable Use/URL Filtering Superior Available
Remote Access VPN Superior Not Enterprise-Grade
Stateful Firewall, HA, Clustering Superior *Available
*HA Capabilities vary from NGFW vendorOnly Check Point and McAfee Support Clustering
Threat-focused Value Positioning Framework
ASA CX Cisco ASA with
FirePOWER Services FirePOWER Appliances
First-gen NGFW for medium sized
business Internet Edge
Deployments
Sophisticated NG anti-threat &
advanced malware protection trusted
by security ops worldwide
Sophisticated NG anti-
threat & advanced malware
protection
trusted by security ops
worldwide
Up to 4 Gbps (5585-X SSP60)
Threat-inspected
Up to 6 Gbps on (5585-X SSP60)
Threat-inspected
Up to 60 Gbps FP8390,
stackable to 120Gbps
Threat-inspected
Position for:
- On Box SSL
- On Box Manager
Position for:
- Edge and Enterprise Networks
- Clustered DC
Position for:
- Data Center (DC-CVD)
- Very High Throughput
- IPS-only Refresh
Why Upgrade?
ASA 5512-X
1 Gbps FW Throughput
ASA 5515-X
1.2 Gbps FW Throughput
ASA 5525-X
2 Gbps FW Throughput
ASA 5545-X
3 Gbps FW Throughput
ASA 5555-X
4 Gbps FW Throughput
High Performance
Up to 4X faster than legacy ASA
Increased throughput, CPS, sessions
Accelerated, integrated services
Integrated security acceleration hardware
No extra hardware required (security
services enabled with software licenses)
Next-generation security
Application control (AVC)
Next-Generation IPS
Security intelligence and URL Filtering
Advanced Malware Protection
Upgrading from ASA with Classic IPS to FirePOWER Services for ASA
When upgrading from classic IPS to FirePOWER Services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.
Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Classic IPS
Module 150 250 400 600 850 1150 1500 3000 5000
FirePOWER
AVC or IPS 100 150 375 575 725 1200 2000 3500 6000
FirePOWER
IPS + AVC 75 100 255 360 450 800 1200 2100 3500
FirePOWER
IPS + AVC +
AMP
60 85 205 310 340 550 850 1500 2300
This is a general approximation!
Order Structure
ASA 5500-X with
FirePOWER
Services
ASA 5585-X with
FirePOWER
Services
1. New Appliance or Upgrade
FirePOWER
Services
Blade
SSD +
FirePOWER
Services Upgrade
License
One of the Five IPS, URL Filtering, Advanced Malware Subscription packages
1 and 3 year term options 2. Security Subscriptions
Cisco FireSIGHT Manager Virtual or FireSIGHT Appliance (required)
Cisco Security Manager (CSM) (optional)
SMARTnet / SASU 3. Management Systems
Must run ASA
9.2.2.4+,
FirePOWER
Services 5.3.1+
Five Subscription Packages to Choose From for Each Appliance
1 and 3 year terms
AVC is part of the default offering
AVC updates are included in
SMARTnet
IPS
URL
URL
IPS
TAMC TAC TA
URL
URL
AMP
IPS
TAM
AMP
IPS
Cisco ASA with FirePOWER Services A New, Adaptive, Threat-Focused NGFW
Superior Visibility
Integrated
Threat Defense
Best-in-class, multilayered
protection in a
single device
Full contextual
awareness to
eliminate gaps
Automation
Simplified operations
and dynamic response
and remediation
Why AMP?
Attackers are determined and resourceful
Malware still getting on devices, detection not 100% Point-in-time detection is not sufficient Integrated response required to be effective Advanced Malware Protection must be pervasive
AMP solves business problems
Where do I start? What is the scope and how bad is the situation? What was the point and method of entry? Can I control and remediate across gateways,
networks, and endpoints?
Comprehensive Security Solutions
BEFORE Control Enforce Harden
DURING Detect Block Defend
AFTER Scope
Contain Remediate
Network
Endpoint
File Retrospection
File Trajectory
Contextual Awareness
Control Automation
File Retrospection
File Trajectory
Device Trajectory
File Analysis
Indications of
Compromise
Outbreak Control
In-line Threat Detection
and Prevention
File Execution Blocking
Key Features of AMP on Content Security
Blocks files known to be malicious
Reputation verdicts delivered by AMP cloud intelligence network
Behavioral analysis of unknown files
Looks for suspicious behavior
Feeds intelligence back to AMP cloud
Continuous analysis of files that have traversed the gateway
Retrospective alerting after an attack when file is determined to be malicious
File Reputation
File Sandboxing
File Retrospection
Protection Across the Attack Continuum
BEFORE Detect
Block
Defend
DURING AFTER Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Filtering
Reputation
Malware Signature
File Reputation
File Behavior
File Retrospection
Threat Analytics Usage Controls
AMP Feature Comparison
Secure Gateway Network Appliance Endpoint
BEFORE Block
File Reputation
DURING Detect
File Sandboxing
AFTER
Monitor
File Retrospection
IoCs
Investigate
File Analysis
File Trajectory
Device Trajectory
Threat Hunting
Control
Outbreak Control
Reputation Filtering and
Behavioral Detection
Spero Engine: Big Data and Machine Learning
Spero is one of the detection engines in the AMP Cloud
Provides zero-day detection
Creates a feature print of a file
Structural information
Referred DLLs
PE header
Send this feature print to the AMP Cloud
Matches machine learned data trees and returns disposition
Spero is available in AMP for Network and Windows Endpoint Connectors
AMP Cloud Features
Admin Portal Deployment and Management
Network and Endpoint Protection
Tracking and Outbreak Control
Device Trajectory
File Trajectory
Threat Root Cause
Offloads Heavy Analysis from the Connector
Collective Security Intelligence
AMP Cloud
AMP for Endpoints
Managed and Deployed from the Cloud
File Activity (Created/Edit/Move/Execute)
One-to-One/Spero/Ethos
Simple and Advanced Custom Detections
Retrospective Alerting
and Quarantine
Application Control
Network Flow Correlation
Black/White Lists
Dynamic Analysis
AMP Cloud Private Cloud
AMP for Endpoints Capabilities
Capabilities Windows Mac Android
Hash Lookups SHA256 SHA256 SHA1
Ethos
Spero
Simple Custom Detections
Advanced Custom Detections
Retrospective Alerting
File Quarantine
Device Flow Correlation
Application Control
Supported Clouds Public, Private Public Public
AMP for Networks
FireSIGHT Management Console (Defense Center)
FirePOWER Appliance
VRT Dynamic Analysis Cloud
File Submitted for
Dynamic Analysis
(by policy)
File Disposition queried
against AMP Cloud
(SHA256, Spero)
- Carves Files from Network
Flows
- Stores Locally
- Calculates Hash for Lookup
(by policy)
Configuration (policy) -
File Trajectory -
AMP Events
Correlation -
Manual Dynamic Analysis
for Endpoint Connectors
AMP Cloud
Managed by
FireSIGHT Management Center
File Detection
One-to-One SHA256
Spero
File Trajectory
Retrospective Alerting
Dynamic Analysis
Policy based automatic file submission
Public Cloud Only
Private cloud available in 5.4
AMP for Networks Integrated with AMP for Endpoints
FireSIGHT Management Console (Defense Center)
FirePOWER Appliance
VRT Dynamic Analysis Cloud
File Submitted for
Dynamic Analysis
(by policy)
File Disposition queried
against AMP Cloud
(SHA256, Spero)
- Carves Files from Network
Flows
- Stores Locally
- Calculates Hash for Lookup
(by policy)
Configuration (policy) -
File Trajectory -
AMP Events
Correlation -
Link to AMP Public Cloud
for Endpoint Connector
Events
Endpoint
Connectors
Manual Dynamic Analysis for Endpoint Connectors
AMP Cloud
FireAMP Private Cloud Design
Admin portal for rapid
deployment and management
Anonymized file disposition lookups
Retrospective Analysis
Device Trajectory
File Trajectory
Root Cause
Tracking and Outbreak Control
Public Cloud Communication and Retrospection
File Query, Enterprise
(Connector ID, SHA, Spero, Ethos)
Response Disposition
Connectors
PING2 Query
Changed Disposition
Retrospective Queue
SHA Conviction
AMP Cloud
Private Cloud Communication and Retrospection
File Query, Enterprise First / Unique
(Connector ID, SHA, Spero, Ethos)
Spero, Ethos
(Locally evaluated)
Retrospective Queue
Response Disposition
Upstream File Query (Device ID, SHA)
Response Disposition
Retrospective Queue
SHA Conviction
Changed Disposition
Changed Disposition
PING2 Query
PING2 Query
Connectors On-premise Appliance
AMP Cloud
File Query, Previously Seen in Ent.
(Connector ID, SHA, Spero, Ethos)
Spero, Ethos
(Locally evaluated)
Response Disposition
AMP Everywhere
FireSIGHT
FireAMP FirePOWER
ASA
ESA
WSA
CWS
Dynamic Analysis
Dynamic Analysis FireAMP Private Cloud
Events /
Correlation
Cloud Connected
On-Premises
Endpoint Network Gateway Sandbox
FirePOWER Services on the ASA
FireSIGHT Management
Console
(Defense Center)
ASA Cluster with
Sourcefire Virtual Sensor File Submitted for Dynamic Analysis
File Disposition queried
against AMP Cloud
(SHA256, Spero)
Configuration (policy) -
File Trajectory -
AMP Events
Correlation -
Manual Dynamic Analysis
for Endpoint Connectors
Cisco Security Manager
VRT Dynamic Analysis Cloud
AMP Cloud
Link to AMP Public
Cloud for Endpoint
Connector Events
Endpoint
Connectors
Advanced Malware Protection Roadmap Summary
Bitters v5.3 0-day malware detection (cloud based
sandbox)
File capture and storage
Custom file detection\blocking
Host and network malware event correlation
Q114 Q214 Q314 Q414 Q115 Q215
Clo
ud
an
d C
on
necto
r
Deliv
ery
Mo
del
FireAMP 5.0 /Connector 4.0 Endpoint OpenIOC License Enforcements
FireAMP Private Cloud 1.0 Virtual Appliance Proxied Cloud w/ Local Mgmt and Reporting
FireAMP 4.5.2 /Connector 3.1.9
Remote File Extraction
FireAMP 4.5
Cloud IOC Support
Elastic Search
Low Prevalence Report
FireAMP Private Cloud 2.0 Air-gapped License Enforcements
Legend: Endpoint Component Network Component Content Component Common Use
On
-Pre
mis
e
Deliv
ery
Mo
del
(ab
ov
e p
lus t
hese)
Dynamic Analysis Local Dynamic Analysis
(Sandboxing) ThreatGRID On-prem Integration
AMP 8150, 7150
New FirePOWER models with increased
memory and CPU
cores (for file functions)
FireAMP 5.1 Role-based Access Control
(RBAC) Support Portal Risk Reports
FireAMP Linux Connector 1.0 Linux Support
Mac OSX Connector 1.0
Mac OSX Support
Chivas v5.4 Integrated SSL Decryption,
Private Cloud Support
EU Cloud support
File archive(.zip) support
UTF8 filename display
FireAMP 5.2
Enhanced RBAC MD5
Drambuie v6 File pre-
classification engine
DNS and URL blacklist
AMP on Web/Mail/Cloud (ESA/WSA/CWS)
File Disposition Look-ups
0-day malware detection (cloud based sandbox)
AMP on Web/Mail/Cloud (ESA/WSA/CWS)
Private Cloud Support
Custom file detection\blocking
Mac OSX Connector 1.x Parity Completion
Elektra
AMP (Sourcefire) on ASA
POS Connector 1.0
Support for POS Dynamic Analysis ThreatGRID Cloud Integration
CONTACT
For more info regarding our Security Solution please use the contact
details below:
Adresa
Splaiul Independentei nr.179,
Corp B, Sector 5,
Bucuresti, 050099
Phone: +40 21 3178787
Fax: +40 21 3179797
Email: office@datanets.ro
Member of Soitron group of
companies.
Thank you for your attention.
Q&A