Next Generation Security

Next Generation Security
Rob Bleeker
Security Consulting Systems Engineer
CCIE# 2926, CISSP
Justin Malczewski
1234567890

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The Industrialization of Hacking
1990 202020152010200520001995
Phishing, Low
Sophistication
Hacking Becomes
an Industry
Sophisticated
Attacks, Complex
Landscape
Viruses
1990–2000
Worms
2000–2005
Spyware and Rootkits
2005–Today
APTs Cyberware
Today +

How Bad – 2013 and Beyond
145 Million
152 Million
70 Million
60 Million
50 Million
50 Million
and a lot more!!!!!!

Needs to be a Better Approach
Current approach has never worked!
Imagine – Security as an Architecture

The New Security Model
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous

Cyber Attack Chain
Recon Package Deliver Exploit Install CnC Act
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
During
Detect
Block
Prevent
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis

The better you can protect……….
The More You See

Visibility Control
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 1110100111
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 1110100111
CiscoSecurity Intelligence Operation (SIO)
Cisco® SIO
WWWEmail WebDevices
IPS EndpointsNetworks
More Than 150 Million
DEPLOYED ENDPOINTS
100 TB
DATA RECEIVED PER DAY
1.6 Million
GLOBAL SENSORS
40%
WORLDWIDE EMAIL TRAFFIC
13 Billion
WEB REQUESTS
Cloud AnyConnect®IPS
ESA WSAASA WWW
3 to 5
MINUTE UPDATES
More Than 200
PARAMETERS TRACKED
More Than 5500
IPS SIGNATURES PRODUCED
More Than 8 Million
RULES PER DAY
More Than 70
PUBLICATIONS PRODUCED
Information
Actions
More Than 40
LANGUAGES
More Than 80
PH.D, CCIE, CISSP, MSCE
More Than $100
Million
SPENT IN DYNAMIC RESEARCH
AND DEVELOPMENT
24 Hours Daily
OPERATIONS
More Than 800
ENGINEERS, TECHNICIANS,
AND RESEARCHERS

Collective Security Intelligence
IPS Rules
Malware
Protection
Reputation
Feeds
Vulnerability
Database Updates
Sourcefire AEGIS™
Program
Private and
Public
Threat Feeds
Sandnets
FireAMP™
Community
Honeypots
Advanced
Microsoft
and Industry
Disclosures
SPARK Program
Snort and ClamAV
Open Source
Communities
File Samples
(>380,000 per Day)
Sourcefire VRT®
(Vulnerability
Research Team)
Sandboxing
Machine Learning
Big Data
Infrastructure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ASA with FirePower Services

Mission:
Founded in 2001 by Marty Roesch
Security from Cloud to Core
• Market leader in (NG)IPS
• Recent entrant to NGFW space with strong offering
• Groundbreaking Advanced Malware Protection solution
Innovative – 52+ patents issued or pending
• Pioneer in IPS, context-driven security, advanced malware
World-class research capability
Owner of major Open Source security projects
• Snort, ClamAV, Razorback

13
Sourcefire Security Solutions
COLLECTIVE
SECURITY
INTELLIGENCE
Management Center
APPLIANCES | VIRTUAL
NEXT- GENERATION
FIREWALL
NEXT- GENERATION
INTRUSION
PREVENTION
ADVANCED
MALWARE
PROTECTION
CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE
APPLIANCES | VIRTUAL

FirePOWER Services for ASA: Components
ASA 5585-X
FirePOWER Services Blade
• Models: ASA 5512-X, 5515-X, 5525-X,
5545-X, and 5555-X
• SSD Drive Required
• FirePOWER Services Software Module
• Licenses and Subscriptions
• Models: ASA 5585-X-10, ASA 5585-X-
20, ASA 5585-X-40, ASA 5585-X-60
• New FirePOWER Services Hardware
Module Required
• Licenses and Subscriptions

2014 NSS Labs SVM for NFGW

Functional Distribution
ACL
NAT
VPN Termination
Routing
AVC (App Control)
NGIPS
URL Filtering
FirePOWER Services
Module
Base ASA

Next Generation Security on a Trusted Firewall
FirePOWER Services
NGIPS, NGFW/AVC, AMP
FireSIGHT Management Center
Comprehensive SECOPS Workflows
Cisco Security Manager (CSM) or ASDM
Comprehensive NETOPS Workflows
ASA Software

Why does this matter
• Application visibility efficacy is NOT a 100%.Today the best efficacy around App ID is about 65%.
• If you are looking to strengthen your overall security posture then building policies with 65%
efficacy is putting your organization at risk. This creates a hit and miss security model.
• Application ID is non deterministic, applications are evasive, what happens with unknown
applications.
• Logging of unknown application should take place and silent drops are forbidden in security –
you need to know what has happened even if the applications has not been identified
Cisco Still Understands the Value of APP Visibility/Control
• Application visibility and control and web filtering has been within Cisco’s portfolio for 5+ years.
We have led this with our Cisco Ironport WSA and our CWS (Scansafe) solutions. (we have
brought this quadrant leading product to our next generation ASA platform)
• Built upon a strong traditional stateful firewall platform that has been proven within the industry.
Cisco is solving the application ID efficacy with OpenAppID
NGFW Realities
OpenAppID

NGFW Realities – The Blocks of Building the Best NGFW
DifficulttoBuildatBest
GoodGreat Poor
How – Cisco will be adding
FireAMP for Malware and
SourceFire NGIPS and further
ISE integration.
Very Difficult to build the best of
breed for all elements that make
a NGFW. Note: the great, good,
and poor changes depending on
the product referenced.
NGFW Today
Traditional FW
VPNAPP URL IPS
Malware
Visibility and Integration
ASA with
Firepower Services
Traditional FW
VPNAPP URL IPS
Malware
Visibility and Integration

FirePOWER Services: Application Control
• Control access for applications, users and devices
• “Employees may view Facebook, but only Marketing may post to it”
• “No one may use peer-to-peer file sharing apps”
Over 3,000
apps, devices,
and more!

Application Control
Social:
Security and
DLP
Mobile:
Enforce
BYOD Policy
Bandwidth:
Recover
Lost
Bandwidth
Security:
Reduce
Attack
Surface

FirePOWER Services: URL Filtering
• Block non-business-related sites by category
• Based on user and user group

FireSIGHT™ Full Stack Visibility
CATEGORIES EXAMPLES
FirePOWER Services TYPICAL
IPS
TYPICAL
NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Cisco phones ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
Contextual
AwarenessInformation Superiority

Correlates all intrusion events to
an impact of the attack against
the target
ImpactAssessment IMPACT
FLAG
ADMINISTRATOR
ACTION
WHY
Act Immediately,
Vulnerable
Event corresponds to
vulnerability mapped
to host
Investigate,
Potentially
Vulnerable
Relevant port open or
protocol in use, but
no vuln mapped
Good to Know,
Currently Not
Vulnerable
Relevant port not
open or protocol not
in use
Good to Know,
Unknown Target
Monitored network,
but unknown host
Good to Know,
Unknown Network
Unmonitored network

Cisco FireSIGHT Simplifies Operations
• Impact Assessment and Recommended Rules Automate
Routine Tasks

Reduced Cost and Complexity
• Multilayered
protection in a single
device
• Highly scalable for
branch, internet
edge, and data
centers
• Automates security
tasks
oImpact assessment

The Power of Continuous Analysis
Point-in-time security sees a
lighter, bullet, cufflink, pen &
cigarette case…
Wouldn’t it be nice to know if
you’re dealing with something
more deadly?

Indications of Compromise (IoCs)
IPS Events
Malware
Backdoors
CnC
Connections
Exploit Kits
Admin Privilege
Escalations
Web App
Attacks
SI Events
Connections to
Known CnC IPs
Malware Events
Malware
Detections
Malware
Executions
Office/PDF/Java
Compromises
Dropper
Infections

Actual Disposition = Bad = Blocked
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection,
Analysis Continues
Initial Disposition = Clean
Continuous
Blind to scope of
compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time
Visibility and
Control are Key
Not 100%
Analysis Stops
Beyond the Event Horizon
Addresses limitations of point-in-time detection

1) File Capture
FirePOWER Services: Advanced Malware
Malware Alert!
2) File Storage
4) Execution Report
Available In Defense Center
Network Traffic
Collective Security
Intelligence Sandbox
3) Send to Sandbox

File Sent
File Received
File Executed
File Moved
File Quarantined

FirePOWER Services for ASA: Subscriptions
FirePOWER Services for ASA Included
Appliance
Features
Configurable Fail Open Interfaces ✓
Connection/Flow Logging ✓
Network, User, and Application Discovery ✓
Traffic filtering / ACLs ✓
NSS Leading IPS Engine ✓
Comprehensive Threat Prevention ✓
Security Intelligence (C&C, Botnets, SPAM etc) ✓
Blocking of Files by Type, Protocol, and Direction ✓
Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓
Access Control: Enforcement by Application ✓
Access Control: Enforcement by User ✓
IPS and App
Updates
IPS Rule and Application Updates Annual Fee
URL Filtering URL Filtering Subscription Annual Fee
Malware
Protection
Subscription for Malware Blocking, Continuous File Analysis,
Malware Network Trajectory
Annual Fee

High Availability and Clustering
Max 2 Units
Max 16 Units*

Deploying ASA w/ FirePOWER Services
• Available on all ASA platforms
• State-sharing between Firewalls for high availability
• L2 Transparent or L3 Routed deployment options
• Failover Link
• ASA provides valid, normalized flows to FirePOWER
module
• State sharing does not occur between FirePOWER Services
Modules
High Availability with ASA Failover

Multi-ContextASADeployments
• ASA can be configured in multi context mode such
that traffic going through the ASA can be assigned
different policies
• These interfaces are reported to the FirePOWER
blade and can be assigned to security zones that
can be used in differentiated policies.
• In this example, you could create one policy for
traffic going from Context A Outside to Context A
Inside. And then a different policy for Context B
Outside to Context B Inside.
• Note: There is no management segmentation inside
the FirePOWER module similar to the context idea
inside ASA configuration.
Context A Context B
Outside
Inside

Multi-ContextASADeployments
Admin
Context
Context-
1

DeployingASAw/ FirePOWER Services
• Up to 8 ASA5585-X IPS
• Stateless load balancing by external switch
• L2 Transparent or L3 Routed deployment options
• Support for vPC, VSS and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for symmetry and high
availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER module
• Scaling IPS with ASA5585-X Clustering

WhyASAwith FirePOWER Services?
• World’s most widely deployed, enterprise-class ASA stateful firewall
• Granular Application Visibility and Control (AVC)
• Industry-leading FirePOWER Next-Generation IPS (NGIPS)
• Validated by NSS Labs as the best NGFW on the market today
• Advanced malware protection
CISCO ASA
Identity-Policy
Control & VPN
URL Filtering
(subscription)
FireSIGHT
Analytics &
Automation
Advanced
Malware
Protection
(subscription)
Application
Visibility &Control
Network Firewall
Routing | Switching
Clustering &
High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network
Profiling
Intrusion
Prevention
(subscription)

Next Generation Security

More Related Content

What's hot

Similar to Next Generation Security

More from Cisco Canada

Recently uploaded

Next Generation Security