Your SlideShare is downloading. ×
0
Cisco, Sourcefire and Lancope
– Better Together
David Salter
Technical Director, Lancope Inc.
26th February 2014

© 2014 C...
The Problem is

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

2
© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

3
Attack Continuum

BEFORE

AFTER

Control
Enforce
Harden

Network

DURING
Detect
Block
Defend

Scope
Contain
Remediate

End...
Attack Continuum

BEFORE

DURING

AFTER

Control
Enforce
Harden

Detect
Block
Defend

Scope
Contain
Remediate

Firewall

P...
Attack Continuum

BEFORE

DURING

AFTER

Control
Enforce
Harden

Detect
Block
Defend

Scope
Contain
Remediate

Firewall

V...
Attack Continuum

• BREADTH
BEFORE • Monitor and profile network
Control
traffic and application data for up
Enforce
Harde...
Attack Continuum

• NETWORK FOCUS
DURING • Leverages Cisco infrastructure
Detect
for detection
Block
Defend
• Detection us...
Attack Continuum

• Track infection spread through
AFTER
the network
Scope
• Create a forensic trail of network
Contain
Re...
Feature

Sourcefire FireSIGHT

Lancope StealthWatch

Data Source

Enriched metadata generated by
dedicated sensors, create...
Sourcefire FireAMP

Lancope StealthWatch

Detection of threats using file analysis

Detection of threats using traffic ana...
Attack Continuum

BEFORE

DURING

AFTER

Control
Enforce
Harden

Detect
Block
Defend

Scope
Contain
Remediate

Firewall

V...
An Architectural Approach
• Pervasive visibility across the attack continuum
• Focus on threats in addition to policy

• P...
Thank you.
Upcoming SlideShare
Loading in...5
×

Cisco, Sourcefire and Lancope - Better Together

7,697

Published on

Technology overview for Sourcefire FireSIGHT and Lancope StealthWatch including:

• Core features and functionality
• Market positioning and differentiators
• Technology integration for effective incident response

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,697
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
171
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Cisco, Sourcefire and Lancope - Better Together"

  1. 1. Cisco, Sourcefire and Lancope – Better Together David Salter Technical Director, Lancope Inc. 26th February 2014 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  2. 2. The Problem is © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. Attack Continuum BEFORE AFTER Control Enforce Harden Network DURING Detect Block Defend Scope Contain Remediate Endpoint Mobile Point in time © 2013 Cisco and/or its affiliates. All rights reserved. Virtual Cloud Continuous Cisco Confidential 4
  5. 5. Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Anti-Virus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGFW UTM NAC + Identity Services NGIPS Advanced Malware Protection Web Security Email Security Lancope StealthWatch System Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Attack Continuum • BREADTH BEFORE • Monitor and profile network Control traffic and application data for up Enforce Harden to 25M+ hosts • Monitor policy • Provide intelligence to improve defenses • Identify precursors to an attack (example: reconnaissance) • DEPTH • Host map and risk profile up to 300K hosts • Identify application and services (over 2000) • Identify Operating Systems • Leverage network awareness as a component of NGIPS • help tune policy Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. Attack Continuum • NETWORK FOCUS DURING • Leverages Cisco infrastructure Detect for detection Block Defend • Detection using behavioral profiles & statistical modeling • Detect attacks that do not violate policy (low and slow attacks, data loss) • Detect ongoing attacks (DDoS) • HOST/APPLICATION FOCUS • Network probes and host agents • DPI & rules engine (Snort) to alert/block vulnerabilities • Detect/block known bad files for specific host platforms • Leverage sandboxing to identify known bad file activity Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Attack Continuum • Track infection spread through AFTER the network Scope • Create a forensic trail of network Contain Remediate activities • Investigate activities post mortem • Reconstruct attack timeline • Provide file interaction history • Detect and remediate known bad files • Limits the proliferation of known bad files Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. Feature Sourcefire FireSIGHT Lancope StealthWatch Data Source Enriched metadata generated by dedicated sensors, creates detailed network host map NetFlow/IPFIX from Cisco router, switches and firewalls, StealthWatch FlowSensor, and other flow sources Storage 500M events and 500M flow summaries, usually weeks of data or less Up to 4TB of storage per collector, usually many months or more. Many FlowCollectors attached to a single Management Console Event Rate Up to 10,000 events per second, based on appliance model 120,000+ flows per second per FlowCollector appliance. Scalability Based on Defense Center event database max Horizontal, support queries across multiple FlowCollectors Scalability of data sources Single Defense Center can support over 100 sensors, one database Up to 50,000 sources (routers / switches / firewalls) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Sourcefire FireAMP Lancope StealthWatch Detection of threats using file analysis Detection of threats using traffic analysis File analysis is not 100 percent effective but those that Detect malware created to evade file analysis or are detected are quarantined. packet inspection. Remediation is performed leveraging other technologies (firewall, IPS, traffic scrubber, host quarantine, etc) ‘Retrospective’ detection can alert to older malware when new intelligence is added to the cloud User activity recorded and available for both real time and historic analysis of suspect hosts spanning months/years. Client support depends on platform. Network inspection requires a distributed deployment of FirePOWER devices. Monitors all host activity regardless of machine type, recording transactions for analysis. FireAMP shows machines infected chronologically, StealthWatch has extensive history of all network how the file moved and proliferated but does not show communication made by infected hosts to determine flow information, the potential exposure © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGFW UTM NAC + Identity Services NGIPS Advanced Malware Protection Web Security Network Behavior Analysis Email Security Lancope StealthWatch System Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. An Architectural Approach • Pervasive visibility across the attack continuum • Focus on threats in addition to policy • Provide holistic view into all host-to-host communication • Reduce complexity, increase capabilities • A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests • Enabled by world-class research & open source © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. Thank you.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×