Luc Billot

Cyber Security Technical Architect - Cisco

April 2019

Anticipate, block, and respond to threats

Next Generation Firewall

© 2019 Cisco and/or its affiliates. All rights reserved.

Why Cisco BoughtSourceFire ?

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

It is a 2.7 Billion $ question…

• SNORT

• VRT

• Immunet

• ClamAV

• FirePower

• FireSight

© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

3rd Party Vuln Data

Security is an Integration Game

4

NGIPS

NGFW

Firepower Management Center

ISE

AMP for Endpoints

AMP

DataThreatgrid

Stealthwatch

Web Security

Umbrella

EmailSecurity

DNS

LoggingSEIM

Orchestration

Investigate

TetrationAD

Sending Datato SEIM

API transaction

Identity from ISE

3rd Party ThreatIntelligence

© 2019 Cisco and/or its affiliates. All rights reserved.

PRODUCTS & INTELLIGENCE

Talos is the intelligence backbone for all Cisco Security Products and Services.

P R O D U C T S

D E T E C T I O N S E R V I C E S

Email

ESA | ClamAV

SpamCop

SenderBase

Email Reputation

Malware

Protection

URL, Domain, IP

Reputation

Phishing

Protection

Spam Detection

Open Source

Snort Rules

ClamAV Sigs

ClamAV

Vulnerability

Protection

Malware

Protection

Policy & Control

End Point

AMP

ClamAV

Cloud & End

Point IOCs

Malware

Protection

IP Reputation

Cloud

OpenDNS

CES

URL, Domain, IP

Reputation

Malware

Protection

AVC

Web

WSA

URL, Domain, IP

Reputation

Malware

Protection

AVC

Network

FirePower/ASA

ISR

Meraki

Policy & Control

Malware

Protection

URL, Domain, IP

Reputation

Vulnerability

Protection

Services

ATA

IR

Cloud & End

Point IOCs

Malware

Protection

URL, Domain, IP

Reputation

Vulnerability

Protection

Custom

Protection

Intelligence

ThreatGrid

Cloud & End

Point IOCs

Malware

Protection

URL, Domain, IP

Reputation

Network

Protection

© 2019 Cisco and/or its affiliates. All rights reserved.

Product Protection Protection Protection

AMP

CWS N/A

Firewall

Threat Grid

Umbrella N/A

WSA N/A

NotPetyaJune 2017

WannaCryMay 2017

VPNFilterMay 2018

Cisco Firewalls have you covered

© 2019 Cisco and/or its affiliates. All rights reserved.

Automatic Threat Prevention

Security Intelligence, URL Filtering, DNS Sinkhole

Block or allow access to URLs and domains

Classify 280M+ URLs Filter sites using 80+ categories Manage Acceptable Use Policy Block latest malicious URLs

Category-based

Policy Creation

Allow Block

Admin

DNS Sinkhole

01

00

10

10

10

0

00

10

01

01

10

1

Security feeds

URL | IP | DNS

NGFWFiltering

BlockAllow

Safe Search

gambling

Next-Generation Intrusion Prevention System (NGIPS)

Understand threat details and quickly respond

Communications

App & Device Data

010111010010

10 010001101

010010 10 10

Data packets

Prioritize

response

Blended threats

• Network profiling

• Phishing attacks

• Innocuous payloads

• Infrequent callouts

3

1

2

Accept

Block

Automate

policies

ISE

Scan network traffic Correlate data Detect stealthy threats Respond based on priority

Automated Impact Assessment

Correlates all intrusion events

to an impact of the attack against the target

Impact Flag Administrator Action Why

1 Act immediately; vulnerable

Event corresponds

to vulnerability mapped to

host

2Investigate;

potentially vulnerable

Relevant port open

or protocol in use,

but no vulnerability mapped

3Good to know; currently not

vulnerable

Relevant port not open or

protocol

not in use

4Good to know; unknown

target

Monitored network, but

unknown host

0Good to know; unknown

networkUnmonitored network

Indications of Compromise (IoCs) Detection & Threat Correlation

IPS Events

Malware Backdoors CnC Connections

Exploit KitsAdmin Privilege

Escalations

Web App Attacks

Security IntelligenceEvents

Connections to Known CnC IPs; DNS Servers,

Suspect URLs

MalwareEvents

Malware Detections Malware Executions

Office/PDF/Java Compromises

Dropper Infections

Firepower Recommendations Knows what I Do Not

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioral

Indications

of Compromise

Threat

Hunting

Retrospective

Detection

Advanced Malware Protection (AMP)

Uncover hidden threats in the environment

AMP in Action

Who

What

Where

When

How

Focus on these users first

These applications are affected

The breach impacted

these areas

This is the scope of exposure

over time

Here is the origin and

progression

of the threat

Network and Endpoint CorrelationIN FIREPOWER MANAGEMENT CENTER

4.6 HoursMedian time to detection

with Cisco security*

WeeksIndustry average time

to detection

The results speak for themselves

* Source: Cisco 2018 Annual CyberSecurity Report

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Network and Security

Visibility and Analysis

• Visibility into threat activity

across users, hosts, networks,

and infrastructure

• Network file trajectory maps

how hosts transfer files,

including malware files, across

your network to scope an

attack, set outbreak controls,

and identify the source of the

threat

• Centralized management

provides contextual threat

analysis and reporting, with

consolidated visibility into

security and network

operations

See more and detect

threats faster

More visibility equals faster time to detection

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

“You can’t protect against what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command

and control

servers

Network servers

Users

File transfers

Web applications

Application

protocols

Threats

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW

OpenAppID

Application Visibility & Control

Provide next-generation visibility into app usage

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

Cisco database

• 4,000+ pre-defined

apps

Network & users

1

2

Prioritize traffic

OpenAppID - Crowdsourcing Application Detection

Extend AVC to proprietary and custom apps

Easily customize application detectors Detect custom and proprietary applications Share detectors with other users

Open-SourceSelf-Service

Decrypt traffic in hardware and software

TLS/SSL decryption engine

Uncover hidden threats at the edge

Log

TLS

decryption engine

Enforcement

decisions

Encrypted Traffic

AVC

https://www.%$&^*#$@#$.com

https://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all TLS sessions

NGIPS

gambling

elicit

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Visibility Provides Context

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Detailed Threat Analytics

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Visibility Provides Context

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Visibility Provides Context

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Customizable Monitoring and Reporting

© 2019 Cisco and/or its affiliates. All rights reserved.

Closing

© 2019 Cisco and/or its affiliates. All rights reserved.

Products https://www.cisco.com/c/en/us/products/security/firewalls/index.html#~products

Cisco Firepower®

2100 Series

Cisco Firepower

4100 Series

Cisco Firepower 9300

Security Appliance

• Internet edge,

high-performance

enterprise environments

• Firewall throughput and

threat inspection from

20 to 60 gigabytes

• Stateful firewall, AVC,

NGIPS, AMP, URL filtering,

DDoS (Radware vDP)

• Internet edge to small data

center environments.

Better security, more

visibility

• Firewall throughput and

sustained performance with

threat inspection from 2.0

to 8.5 gigabytes

• Stateful firewall, AVC,

NGIPS, AMP, URL filtering

• Service provider,

data center

• Firewall throughput up to

225 gigabytes and threat

inspection up to 90

gigabytes

• Firewall, AVC, NGIPS,

AMP, URL filtering, DDoS

(Radware vDP)

To learn more, visit Cisco Next-Generation Firewalls

© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Virtual and Cloud Solutions

28

Firewall

AVC

NGIPS

AMP

URL

VPN

(IPSEC and SSL)

Managed by FMC and FDM