Threat focused security Adrian ARON .:|:.:|:. Systems Engineer | SEE - Romania cisco [email protected] |Phone: +40 726 126704 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Hacking, 21st Century The attack chain Victim = targeted organization Survey Evaluate victim’s countermeasures Write Craft context-aware malware to penetrate victim’s environment Test Check malware works & evades victim’s countermeasures Execute Deploy malware. Move laterally, establish secondary access Accomplish The mission: Extract data, destroy, plant evidence, compromise. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mapping Technologies to new Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Anti-Virus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Human health threats of everyday Health Attack Continuum by bacteria or viruses BEFORE Harden immune system Vitamins Vaccins DURING Investigate and diagnose Blood analysis AFTER Sustain immune response Remediate Autovaccines Targeted immune stimulation Sport PreBiotics Temperature control Antibiotics Prebiotics Healthy food Probiotics Oral Exudates ICU internship ProBiotics Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco and Sourcefire Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend Firewall VPN NGIPS NGFW UTM Web Security Identity Services Engine Email Security Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential AFTER Scope Contain Remediate Advanced Malware Protection Network Behavior Analysis A T T A C K C O N T I N U U M • Cisco • Sourcefire Control Enforce Harden Firewall & NGFW • • • • ASA 5500-X Series ASA 5500-X w/NGFW license ASA 5585-X w/NGFW blade FirePOWER NGFW appliances NAC & Identity Services • Identity Services Engine (ISE) • Access Control Server (ACS) S2S & RAN VPN • Cisco AnyConnect VPN • ASA 5500 • ISR G2 / ASR 1K Unified Threath Management • Meraki MX series © 2013 Cisco and/or its affiliates. All rights reserved. Detect Block Defend Scope Contain Remediate IPS & NGIPS • Cisco IPS 4300 Series • Cisco ASA 5500-X Series with integrated IPS • FirePOWER NGIPS • FirePOWER NGIPS w/ Application Control • FirePOWER Virtual NGIPS Email Security • Email Security Appliance (ESA) • Virtual Email Security Appliance • Cloud Email Security Web Security • Web Security Appliance (WSA) • Virtual Web Security Appliance Cisco Confidential • Cloud Web Security (ScanSafe) Advanced Malware Protection • • • • • FireAMP cloud services FireAMP Mobile FireAMP Virtual AMP for FirePOWER license Dedicated AMP FirePOWER appliance What is visibility ? Why we need Context ? Event: Target: Host OS: Apps: Location: User ID: Full Name: Department: Attempted Privilege Gain 192.168.56.205 (vulnerable) Blackberry Mail, Browswer, Twitter Whitehouse, US bobama Barack Obama Executive Office Event: Target: Host OS: Apps: Location: Attempted Privilege Gain 192.168.56.205 (vulnerable) Blackberry Mail, Browser, Twitter Whitehouse, US Event: Target: Attempted Privilege Gain 192.168.56.205 Context has the capability of fundamentally changing the interpretation of your event data. Cisco Sees MORE threats Netflow Application Protocols Users Malware Vulnerabilities Web Applications Files Operating Systems Processes Network Servers ISE for Policy& Identity © 2013 Cisco and/or its affiliates. All rights reserved. Services Client Applications VoIP Phones Mobile Devices Routers and Switches Command and Control Servers Printers Network Provides Context Cisco Confidential Virtual Machines Network Behavior AMP on the Endpoint Block known threats in volume ? © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Detect and Stop Advanced Threats Collective Security Intelligence Who Event History What ? Where When new Threat Identified How Recorded Context Enforcement ISE + Network, Appliances (NGFW/NGIPS) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential FireAMP, CWS (Cognitive), Appliances NGIPS value architecture Alerting Presentation engine User Interface Correlation Reporting engine “SMS me only if a valid attack gets through to one of our executives’ Android phones.” Remediation services Rules engine Reputation services Correlation engine Geolocation services Anomaly Detection Detection Engines Identity Network Awareness Threat awareness DAQ Directory mapping User Awareness Awareness Directory Services Next Generation Firewall Next Generation IPS BEFORE by SourceFire © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DURING NGFW – Powered by NGIPS NGFW with fully featured NGIPS • Estate and users mapped by FireSIGHT • Access violations detected by embedded NGIPS • Application and access control, switching and routing provided by NGFW © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Sourcefire NGFW Threat-focused Security Intelligence • NGIPS – content inspection URL awareness • FireSIGHT – context awareness • Security Intelligence - blacklist control IP Geo-location Controlled traffic IPS Policy • Comprehensive access control • By network zone, VLAN, IP, port, protocol, application, user, URL • And it’s all beautifully integrated Firewall Policy Malware policy Switching, Routing VPN, High Availability • With IPS policies • File control policies © 2013 Cisco and/or its affiliates. All rights reserved. File policy Cisco Confidential FirePOWER™: Single-pass, high-performance, low-latency • Flexible in Software • NGIPS,NGFW, AMP • All of the above (just size appropriately) • Flexible in Hardware • Scalable: 50Mbps->40Gbps, • Stack to scale, cluster for tolerance Up to 320 RISC cores Up to 40 Gbps (IPS) • Cost Effective • Best in class for IPS, NGFW by NSS Labs © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Gbps 10 Gbps 6 Gbps SSL8200 SSL2000 SSL1500 4 Gbps 2 Gbps 1.5 Gbps 1.25 Gbps 1 Gbps 750 Mbps 500 Mbps 250 Mbps 100 Mbps 50 Mbps 8270 8260 8250 8140 8130 8120 7125 7120 7115 7110 7030 7020 7010 Mixed / SFP 30 Gbps • Integrated lights-out management • Sourcefire acceleration technology • LCD display Stackable All appliances include: 8290 Modular Connectivity 40 Gbps Fixed Connectivity IPS Throughput NGIPS / App Control / NGFW / AMP FirePOWER™ Appliances Advanced Malware Protection AFTER by SourceFire © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential AV as a malware countermeasure • It’s limited: • Can only use 2-5% of your available CPU. • Limited in rule set • Limited in scope • Operates as immediate point in time. To your AV, this … … looks like this. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What if your malware counter-measure could be resourced like this? • Petaflop processing • Petabyte storage • Big data analytics • Continuous analysis • State-of-the-art AI algorithms for continuous malware targeting © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Malware detection is by no means a sure thing …. File disposition: • Don’t view instances in isolation. Known bad Known good Unknown • Think malware ecosystem, look for underlying context and find the hidden actors Unknown drops known bad 75% • Track malware trajectory to patient 0, else chance of re-infection will be high © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Known bad drops unknown 70% Our approach to advanced malware protection Detection Services & Big Data analytics SSL:443FireAMP | 32137 ✖cloud Heartbeat: 80service ✔ AMP for Networks DefenceCenter with FireSight ISE # internet # NGFW FirePOWER appliance with FireAMP license Inline IPS FirePOWER appliance One-arm IDS FirePOWER appliance AMP Malware license Our approach to advanced malware protection SSL:443 | 32137 AMP for Endpoints Detection Services & Big Data analytics FireAMP cloud service Heartbeat: 80 ✖ ✔ SaaS Manager internet # PC station with FireAMP client # # PC stations with FireAMP client Endpoint operational architecture System data Host Name File data Network data Hash tracked files Capture Network Traffic Host IP Address Check local cache Log connection data for tracked files Heartbeat Login Name Query for Disposition Block malicious dispositions Legend No Personally Identifiable Information (PII) Optional PII PII Detection engines power AMP SPERO Uses AI methods for real-time ADVANCED ANALYTICS Specific discovery of heuristics malware based on Integrates from the (ONE-TO-ONE) environment and behavior. Uses malware environment, the Big Data Generic periodic review of Big Data store to store, ETHOS and SPERO to clarify (ETHOS) implement the outcome of aretrospection marginal conviction Decision Tree (SPERO) ONE-TO-ONE Catches “wellETHOS known” malware Catches families of malware through through use of primary SHA match. use of “fuzzy embedded in Equivalent to hashes” a signature-based Integrative the Analytics) Feature Print. Counters malware (Adv. system. evasion by “bit-twiddling”. Primary Hash Detection torque Feature Print (•) © 2013 Cisco and/or its affiliates. All rights reserved. ∫ {•••} Cisco Confidential users, engines 1 Finding patient 0: Trajectory analysis Look wide (AMP for Networks), look deep (AMP for Endpoints) Look wide on Defence Center: Network trajectory ! When did it happen? ! Where is pa3ent 0? ! What else did it bring in? © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Look Deep: Device trajectory ! What systems were infected? AMP and Sourcefire security intelligence VRT Powered: Feeds all our systems Machine learning Sandboxing Malware Protection IPS Rules Reputation Feeds Sourcefire Vulnerability Research Team Sourcefire AEGIS™ Program Private & Public Threat Feeds Sandnets Advanced Microsoft & Industry Disclosures Vulnerability Database Updates Big data infrastructure File Samples FireAMP™ (>180,000 per day) Community SPARK Program Honeypots Snort® & ClamAV™ Open Source Communities © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© Copyright 2026 Paperzz