Sourcefire FireAMP Update
Eric Kostlan Technical Marketing EngineerSecurity Technology Business Unit
July 8, 2014
Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved.
Session Objectives Introduction Cisco AMP Features and Design Unique Business Value Product Roadmap Demonstration Additional Resources
Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 4 2013-2014 Cisco and/or its affiliates. All rights reserved.
At the end of the session, the participants should be able to:
Describe how AMP Everywhere gives customer unprecedented visibility and control.
Understand design concepts central to core AMP functionality Explain AMP Product Roadmap direction and features at a high level
Cisco Confidential 5 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6Sourcefire Confidential Internal or Partner Use Only
Attackers are determined and resourceful Malware still getting on devices, detection not 100% Point-in-time detection is not sufficient Integrated response required to be effective Advanced Malware Protection must be pervasive
AMP solves business problems Where do I start? What is the scope and how bad is the situation? What was the point and method of entry? Can I control and remediate across gateways, networks,
and endpoints?
2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 7 2013-2014 Cisco and/or its affiliates. All rights reserved.
BEFOREControlEnforceHarden
ControlEnforceHarden
DURINGDetectBlock
Defend
DetectBlock
Defend
AFTERScope
ContainRemediate
ScopeContain
Remediate
Network
Endpoint
Comprehensive Security Solutions
File RetrospectionFile Trajectory
Contextual AwarenessControl Automation
File RetrospectionFile TrajectoryDevice TrajectoryFile Analysis
Indications of CompromiseOutbreak Control
In-line Threat Detection and Prevention
File Execution Blocking
Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved.
Reputation Filtering and Behavioral Detection
Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved.
Spero is one of the detection engines in the AMP Cloud Provides zero-day detection
Creates a feature print of a file Structural information Referred DLLs PE header
Send this feature print to the AMP Cloud Matches machine learned data trees and returns disposition
Spero is available in AMP for Network and Windows Endpoint Connectors
Spero Engine: Big Data and Machine Learning
Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved.
Admin Portal Deployment and Management Network and Endpoint Protection Tracking and Outbreak Control
Device Trajectory File Trajectory Threat Root Cause
Offloads Heavy Analysis from the Connector Collective Security Intelligence
AMP Cloud Features
AMP Cloud
Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved.
Managed and Deployed from the Cloud File Activity (Created/Edit/Move/Execute)
One-to-One/Spero/EthosSimple and Advanced Custom Detections
Retrospective Alertingand Quarantine
Application Control Network Flow Correlation
Black/White Lists Dynamic Analysis
AMP CloudPrivate Cloud
AMP for Endpoints
Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP for Endpoints CapabilitiesCapabilities Windows Mac AndroidHash Lookups SHA256 SHA256 SHA1
Ethos Spero Simple Custom Detections Advanced Custom Detections Retrospective Alerting File Quarantine Device Flow Correlation Application Control Supported Clouds Public, Private Public Public
Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT Management Console(Defense Center)
FirePOWER Appliance
AMP for Networks
VRT Dynamic Analysis Cloud
File Submitted forDynamic Analysis
(by policy)File Disposition queried
against AMP Cloud(SHA256, Spero)
- Carves Files from Network Flows- Stores Locally- Calculates Hash for Lookup(by policy)
Configuration (policy) -File Trajectory -
AMP Events Correlation -
Manual Dynamic Analysisfor Endpoint Connectors
AMP Cloud
Managed byFireSIGHT Management Center
File DetectionOne-to-One SHA256
Spero
File Trajectory Retrospective Alerting Dynamic Analysis
Policy based automatic file submission
Public Cloud OnlyPrivate cloud available in 5.4
Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT Management Console(Defense Center)
FirePOWER Appliance
AMP for Networks Integrated with AMP for Endpoints
VRT Dynamic Analysis Cloud
File Submitted forDynamic Analysis
(by policy)File Disposition queried
against AMP Cloud(SHA256, Spero)
- Carves Files from Network Flows- Stores Locally- Calculates Hash for Lookup(by policy)
Configuration (policy) -File Trajectory -
AMP Events Correlation - Link to AMP Public Cloud for Endpoint Connector Events
EndpointConnectors
Manual Dynamic Analysisfor Endpoint Connectors
AMP Cloud
Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved.
Admin portal for rapiddeployment and management
Anonymized file disposition lookups
Retrospective Analysis Device Trajectory File Trajectory Root Cause Tracking and Outbreak Control
FireAMP Private Cloud Design
(Not available until 5.4)
Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved.
Public Cloud Communication and Retrospection
File Query, Enterprise(Connector ID, SHA, Spero, Ethos)
Response Disposition
Connectors
PING2 Query
Changed Disposition
Retrospective
Queue
SHA C
onviction
AMPCloud
Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved.
Private Cloud Communication and Retrospection
File Query, Enterprise First / Unique(Connector ID, SHA, Spero, Ethos)
Spero, Ethos(Locally evaluated)
Retrospective
Queue
Response Disposition
Upstream File Query(Device ID, SHA)
Response Disposition
Retrospective
Queue
SHA C
onviction
Changed Disposition
Changed Disposition
PING2 Query
PING2 Query
ConnectorsOn-premiseAppliance
AMPCloud
File Query, Previously Seen in Ent.(Connector ID, SHA, Spero, Ethos)
Spero, Ethos(Locally evaluated)
Response Disposition
Cisco Confidential 19 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT
FireAMP FirePOWERASA
ESAWSACWS
Dynamic Analysis
Dynamic AnalysisFireAMP Private Cloud
Events / Correlation
Cloud Connected
On-Premises
Endpoint Network Gateway Sandbox
Out-scoping the competition. Cisco has the most comprehensive strategy for Advanced Malware Protection.
AMP Everywhere
Cisco Confidential 20 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT Management Console(Defense Center)
ASA Cluster withSourcefire Virtual Sensor
FirePOWER Services on the ASA
File Submitted forDynamic Analysis
File Disposition queried against AMP Cloud
(SHA256, Spero)
Configuration (policy) -File Trajectory -
AMP Events Correlation -
Manual Dynamic Analysisfor Endpoint Connectors
Cisco Security Manager
VRT Dynamic Analysis Cloud AMP Cloud
Link to AMP Public Cloud for Endpoint Connector
Events
EndpointConnectors
Cisco Confidential 21 2013-2014 Cisco and/or its affiliates. All rights reserved.
Broad traffic mix(HTTP, SMTP, FTP, SSH, BitTorrent)
Multiple file types(PDF, MP3, FLV, JPG, EXE)
Low file volume (30%) tests
High file volume (50%) tests
Results fed into PerformanceEstimator
Estimator to be available on Ciscointranet
Performance Testing Methodology and Estimator
Cisco Confidential 22 2013-2014 Cisco and/or its affiliates. All rights reserved.
~ 30-35% of IPS throughput
~ 60-70% of NGFW throughput
Assumes NGFW/IPS/File policies enabled
Guideline applies to standard FirePOWER appliances and modules
Dedicated AMP appliances have AMP throughput in Data Sheet
Advanced Malware ProtectionAccess Control RulesIPS PolicyApplication ClassificationFile PolicyCloud Malware Lookups
Model IPS(Mbps) IPS+NGFW IPS+NGFW+AMP3D8390 60000 30000 210003D8370 45000 22500 165003D8360 30000 15000 105003D8350 15000 7500 4500
AMP Throughput Guidelines
Cisco Confidential 23 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 24 2013-2014 Cisco and/or its affiliates. All rights reserved.
Beyond the Event Horizon
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Initial Disposition = Clean
Cisco AMP
Blind to scope of compromise
Actual Disposition = Bad = Too Late!!
Turns back timeVisibility and Control are Key
Not 100%Analysis Stops
Sleep TechniquesUnknown ProtocolsEncryptionPolymorphism
Actual Disposition = Bad = Blocked
Retrospective Detection,Analysis Continues
Cisco Confidential 25 2013-2014 Cisco and/or its affiliates. All rights reserved.
McAfeeFireEye (With Mandiant)Palo Alto Networks
(with Cyvera)
Mature player with roots as AV consumer supplier
Stonesoft has good third party results. Class one competitor in IPS space Intel acquisition has allowed internet of
things for McAfee.
Architecturally superior to McAfee, which still banks on Sandboxing for dynamic analysis
AMP is well integrated with Firepower platforms. Does not require separate box for Malware detections.
Supported by superior IPS.
Why Cisco?
Sandbox technology. Different technology used for inspection,
remediation etc. Difficult to choose a solution, as offerings
are really confusing. Snort is not integrated well
CompetitorWeaknesses
CompetitorStrengths
Multi Vector Technology, a innovation over regular sandboxing.
Mandiant added to product profile as an end point solution.
Easy to deploy and manage.
End point presence with Cyvera acquisition.
Cyvera will address poor IPS coverage. By interoperating with Wildfire.
Threat prevention with global intelligence sharing with Wildfire.
Always allow the first threat. Lack of end point solution has made it worst.
Lack of good IPS creates lots of false positives.
Remediation takes min to hours. Solution sweeps the network to find infected host.
Cannot inspect encrypted traffic.
No solution for after phase in Attack continuum. No remediation capabilities.
No Scope determination capabilities. Cyvera detection technology has
performance overhead. Management integration will be tricky.
Superior Malware detection technology (Big-data).
Better visibility and scope determination. Superior Remediation and Control
Capabilities Visibility into encrypted traffic. Better protection for mobile endpoint. Resistance from sandbox evasions. Better coverage with AMP on ESA/WSA.
Addresses all above Cyvera weaknesses. Cisco addresses all phases of attack continuum.
Solutions for after phase with remediation, retrospection and scope determination.
Better end point protection for mobile endpoints.
Superior IPS technology.
Competition
Cisco Confidential 26 2013-2014 Cisco and/or its affiliates. All rights reserved.
S
e
c
u
r
i
t
y
E
f
f
e
c
t
i
v
e
n
e
s
s
TCO per Protected-Mbps
Cisco Advanced Malware Protection
Best Protection Value
99.0% Breach Detection Rating
Lowest TCO per Protected-Mbps
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Cisco Confidential 27 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 28
FirePower v5.3 0-day malware detection (cloud based
sandbox) File capture and storage Custom file detection\blocking Host and network malware event correlation
Advanced Malware Protection Roadmap SummaryQ114 Q214 Q314 Q414 Q115
C
l
o
u
d
a
n
d
C
o
n
n
e
c
t
o
r
D
e
l
i
v
e
r
y
M
o
d
e
l
FireAMP 5.0 /Connector 4.0 Endpoint OpenIOC License Enforcements
FireAMP Private Cloud 1.0 Virtual Appliance Proxied Cloud w/ Local Mgmt and Reporting
FireAMP 4.5.2 /Connector 3.1.9 Remote File Extraction
FireAMP 4.5 Cloud IOC Support Elastic Search Low Prevalence Report
FireAMP Private Cloud 2.0 Air-gapped License Enforcements
Legend:
Endpoint ComponentNetwork ComponentContent ComponentCommon Use
O
n
-
P
r
e
m
i
s
e
D
e
l
i
v
e
r
y
M
o
d
e
l
(
a
b
o
v
e
p
l
u
s
t
h
e
s
e
)
Dynamic Analysis Local Dynamic Analysis
(Sandboxing) ThreatGRID On-prem Integration
AMP 8150, 7150 New FirePOWER models with
increased memory and CPU cores (for file functions)
FireAMP 5.1 Role-based Access Control
(RBAC) Support Portal Risk Reports
CYFireAMP Linux Connector 1.0 Linux Support
Mac OSX Connector 1.0 Mac OSX Support
FirePower SSL Integrated SSL Decryption, Private Cloud Support EU Cloud support File archive(.zip) support UTF8 filename display
AMP on Web/Mail/Cloud (ESA/WSA/CWS)
File Disposition Look-ups 0-day malware detection (cloud based
sandbox)
AMP on Web/Mail/Cloud (ESA/WSA/CWS)
Private Cloud Support
Custom file detection\blocking
Mac OSX Connector 1.x Parity Completion
FirePower ASA AMP (Sourcefire) on ASA
Dynamic Analysis ThreatGRID Cloud Integration
Cisco Confidential 29 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 30 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Key Takeaways of this presentation were:
AMP utilizes a variety of on-box engines and cloud services Integration of AMP for Endpoints and AMP for Networks enhances AMP
capabilities
ASA provides AMP capabilities by means of an on-box FirePOWER virtual sensor (AMP for Networks)
AMP provides competitive advantages to several Cisco products
Cisco Confidential 31 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 32 2013-2014 Cisco and/or its affiliates. All rights reserved.
The following will be demonstrated:
AMP for Endpoints AMP for Networks File Trajectory
Cisco Confidential 33 2013-2014 Cisco and/or its affiliates. All rights reserved.
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
The file is copied yet to a fourth device (10.5.60.66) through the same SMB application a half hour later
The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
Cisco Confidential 34 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 35 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sourcefire IQ Centerhttps://sourcefire.learn.taleo.net
NSS Reporthttps://info.sourcefire.com/NSSBreachDetectionReportSEM.html?gclid=CL_lnJH0-L4CFQWTfgodyhQAsg
dCloud Demonstration Podshttp://dcloud.cisco.com
Partner Education Connectionhttp://www.cisco.com/web/learning/le36/learning_partner_e-learning_connection_tool_launch.html
Thank you.