BRKSEC-2061 Cisco + SourceFire Threat-Centric Security Approach

Cisco + SourceFire: Threat-Centric
Security Approach
BRKSEC-2061
Jatin Sachdeva (CISSP, CISA, CEH, GWAPT, GSEC, SFCE)

Security Architect, Cisco ANZ
#clmel
Agenda
• Today’s Security Challenges
• A Threat-Centric and Operational
Security Model
• Next Generation Firewall & IPS
• Content security & Advanced
Malware Prevention
• Network as a Distributed Firewall
• Network as a Visibility Sensor
• Reducing Complexity and
Increasing Capability
• It takes an Architecture
• Summary
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Session Objective
Provide a quick review of today’s
dynamic threat landscape and
outline the Cisco threat-centric
and operational security model
that spans a range of attack
vectors to address the full attack
continuum – before, during, and
after an attack.
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Security Perspective
5
The Problem is THREATS
Today’s Advanced Malware is Not Just a Single Entity
Missed by Point-in-time
100 percent of companies surveyed by Cisco Detection
have connections to domains that are known

to host malicious files or services. (2014 CASR)
It is a Community
that hides in plain sight
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Top Cyber Risks for Users
Untrustworthy sources
Clickfraud and Adware

10% 64% vs
IE requests Chrome requests
Outdated browsers running latest running latest
version version
2015 Cisco Annual SecurityReport

The Challenges Come from Every Direction
Sophisticated Complicit
Attackers Users
Dynamic Boardroom
Threats Engagement
Defenders
Complex Misaligned
Geopolitics Policies
Cisco 2015 Annual Security Report
Now available:
cisco.com/go/asr2015
Impact of a Breach
Breach occurs data in of breaches remain Information of up to
breaches is stolen undiscovered for individuals
in on the black market
over last three
START HOURS MONTHS YEARS
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Source: Verizon Data Breach Report 2014
Breach/Detection Time Delta is Not Improving
Percent of beaches where time to compromise
(red)/time to discovery (blue) was days or less
100%
Time to compromise
75%
50%
25%
Time to discovery
2005
2008
2004
2006
2007
2009
2010
2012
2013
2011
BRKSEC-2061 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Source: Verizon 2014 Data Breach Investigations Report
Why?
The Configuration Problem
• Poor awareness of true operational environment
• Change to environment requiring configuration/posture
changes unrecognised
• Detection content unavailable
– 0-day
• No anomaly detection mechanisms in place
14
The Organisational Problem
• False positive rates too high
– Operator overload due to mass of equally meaningless events that
must be contextualised
• Frequently technologies are deployed but not properly
operationalised
– Check-box security
• In 2014, the average cost of an organisational
data breach was US$3.5 million
Source: The Ponemon Institute
15
Defenders
Less than half of security practitioners
leverage known effective practices
SecOps
Identity Administration and Provisioning 43%
Patching and configuration as defence 38%
Pentesting 39%
Quarantine malicious applications 55%
2015 Cisco Annual SecurityReport

If you knew you were going to be
compromised, would you do
security differently?
Addressing The Configuration Problem
• Visibility Architecture
– Collect context about the operational environment
– Continuously in real-time
– Visibility data is used to recommend configuration
of security infrastructure
– Real-time notifications of change to drive real-time
change in security posture
• Content
– Rapid development and dissemination of updated
detection is a fundamental
• Vendor
• Security operations teams
Addressing The Organisational Problem
• Contextualisation
– Event loads are high due to misconfiguration
– Even when well tuned, raw events must be contextualized automatically when possible
• Operationalisation
– That’s your job…
• Engagement from corporate boards is crucial
in setting security priorities and
expectations
– Boards need to know what the cybersecurity
risks to the business are and their potential
impact
– CIOs must ask tough questions about security
controls that are meaningful to the board and outline the business implications
19
A Threat-Centric and Operational Security Model
Attack Continuum
BEFORE DURING AFTER

Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate
Firewall Patch Mgmt IPS IDS AMD
App Control Vuln Mgmt Anti-Virus FPC Log Mgmt
VPN IAM/NAC Email/Web Forensics SIEM
Visibility and Context
A Threat-Centric and Operational Approach
Attack Continuum
BEFORE DURING AFTER

Discover Detect Scope
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Cisco: Covering the Entire Continuum
Attack Continuum
BEFORE DURING AFTER

DIscover Detect Scope
ASA VPN NGIPS Advanced Malware Protection
NGFW Meraki ESA/WSA Cognitive
Secure Access + Identity Services CWS ThreatGRID
FireSIGHT, CTD & PXGrid

Services
Building a Threat-Centric Cisco Security Architecture
BEFORE DURING AFTER

DIscover Detect Scope
Attack Continuum
Next Generation Firewall and Intrusion
Prevention System
24
Cisco NGFW / NGIPS Offerings
Embedded Advanced Cisco NGFW ASA w/
FirePOWER NGIPS Malware Prevention (AMP) FirePOWER Services
• Best-of-Breed NGIPS for • Class-leading advanced • Only threat-focused NGFW to

Advanced Threat Protection malware solution cover full attack continuum
• File reputation and sandboxing • Available on existing ASA-x
• Scalability up to 60Gbps+ platforms
• Malware Forensics reports
• Application and Identity Aware • Integrated NGIPS + AMP
• Malware and file Retrospection
• Ultra-Granular Policies: App,
• Lower TCO Through Automation • Cisco AMP Everywhere ensures Identity, Risk, Business
pervasive coverage Relevance
Common NGIPS and AMP code base

Common Threat Management– FireSIGHT
Common Collective Security Intelligence
Flexible Deployment Appliance Virtual Cloud
New ASA
ASA with FirePOWER Services Best-in-Class NGFW Capabilities
Cisco Collective Security Intelligence Enabled
WWW
Advanced Malware
Clustering &
Intrusion Prevention Protection URL Filtering
High Availability (subscription) (subscription) (subscription)
FireSIGHT
Analytics & Automation
Network Firewall Built-in Network Identity-Policy Control

Application
Routing | Switching Profiling & VPN
Visibility & Control
Cisco FireSIGHT Management Automates Operations

Content Security
27
Email and Web are the Most Prevalent Attack Vectors
…And most successful! Risks
• Java exploits represented 93% of all
• App development has moved to 2014 Indications of Compromise*
web and mobile • Blended attacks combine social
• Explosion of engineering, Phishing and web
• Cloud Services malware
• Social Networking • Social Networking users increasingly
being targeted for data theft and
• Email still one of the most critical social engineering attacks
business applications
• Loss of productivity due to social
networking, gaming, etc.
*Cisco BRKSEC-2061
2014 mid-year security report
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Content Security Can Help
Cisco Advanced Malware
Cisco Email Security Prevention (AMP) Cisco Web Security
• Efficient Multi-Scan • Class-leading Anti-malware • Safeguards every device,

solution everywhere, all the time
• Spam and virus protection
• File reputation and Sandboxing • Acceptable Use Controls
• Email Reputation Filtering
• Malware Forensics reports • Web Reputation
• Spam Image Analysis
• Malware File Retrospection • Application Visibility & Control
• Encryption
• Cisco AMP Everywhere ensures • Dynamic Content Analysis
• Robust DLP pervasive coverage
• Actionable Reporting
• URL Scanning
• Threat Analytics
AMP Everywhere
Common Collective Security Intelligence
Systems work together for blended attack protection
Flexible Deployment Client Appliance Virtual Cloud

Email Cisco Zero-Hour Malware Protection
Advanced Malware Protection
Reputation
SourceFire AMP update
integration File File
Reputation Sandboxing
Known File Unknown files are

Reputation uploaded for
sandboxing
Outbreak Filters
Cloud Powered Zero-Hour Telemetry Based Zero-Hour

Malware Detection Virus and Malware Detection
Email Outbreak Filters http://www.senderbase.org/static/malware/
Outbreak Filters Advantage
• More protection than just AV alone
• Leverages CSI Telemetry to detect outbreaks Cisco® Dynamic Virus
• Average AV signature lead time: Over 13 hours CSI Quarantine Filter
• Average Cisco lead time: <60mins
Advanced Malware Protection Outbreak Filters in Action
Cloud Powered Zero-Hour Zero-Hour Virus

Malware Detection and Malware Detection
Web
WebPages
PagesContain
ContainHidden
HiddenThreats
Threats
Real-time
Real-timeSandbox
SandboxAnalysis
Analysisfor
forZero-day
Zero-dayDefense
Defence
Detects
Detects ~20%
~20% moremore
threats*threats*
Every object
Every on the
object page
on the is analysed
page is analyzed Real-time Emulation
Real-time Emulation
Outstanding Blended Attack Defence
Cisco Email & Web work as a system
Email Contains URL

Send to Cloud Rewrite
Cisco Security
Intelligence BLOCKEDwww.playboy.comBLOCKED
URL Analytics Neutralise BLOCKEDwww.proxy.orgBLOCKED
Replace “This URL is blocked by policy”
Automated with Outbreak Filters or Manual

Network as a Distributed Firewall
34
Protection Against Advanced Persistent Threats
Network Segmentation is critical
Verizon DBIR 2014: Recommended Controls
Cisco Secure Access
Making segmentation easy and dynamic
Identity Services Engine TrustSec AnyConnect Secure Mobility
• Centralised Policy Management • Provides dynamic network • Universal Security Client

segmentation
• Allows for dynamic and micro • SSLVPN / IPsec
segmentation • Access Control using IP/VLAN
independent tags • Mobile Web Security
• AAA Radius Server
• Simplifies BYOD access and policies • Network Access Manager
• Guest Access Services
• Provides access policy enforcement • Host NAC Agent
• BYOD Enablement on all network devices
• Certificate Provisioning
• MDM Integration • Vast Firewall Rule Simplification
• Device Profiling & Posture

assessment
• pxGrid Context Sharing
Common Identity and Context

Common Policy across Wired, Wireless and VPN
Flexible Deployment Appliance Virtual Cloud

Simplification of Access Policy with TrustSec
Business Data
App / Storage • Massive Firewall rule simplification
Firewall Rules • Policy Enforcement regardless of IP address/vlan
Source Destination Action Result: Accelerated service provisioning
Firewall
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Device Type: Apple Mac

User: Fay
Corp Network AD Group: Employee
Asset Registration: Yes
ISE
Policy Mapping  SGT: Em ployee
Policy Server
VPN Remote WLAN
Access Controller Access Switch
• Consistent policy assignment regardless of • Differentiated Network Access based on Context

access method • Security Group Tag is added to every packet from
Corp Asset host
Endpoints
Empower BYOD with ISE & TrustSec Empowering the User
without sacrificing security
• Reduced Burden on IT Staff
– Device On-Boarding
Blacklisting & re-instating Multiple Device – MDM / Posture compliance
of devices Support – Self Registration
– Supplicant Provisioning
– Certificate Provisioning
• Self Service Model
– myDevice Portal for registration
Multiple – Guest Sponsorship Portal
• Device Black Listing
Network – User initiated control for their
Topologies devices, black-listing, re-instate, etc
Simple • Support for:
– iOS (post 4.x)
Certificate
– MAC OSX (10.6 – 10.9)
Provisioning – Android (2.2 and onward)
Self Registration – Windows (XP, Vista, win7, win8)
Cisco 38
Enabling Network-Wide Identity & Context Sharing
Cisco Platform Exchange Grid – pxGrid
AD INFRASTRUCTURE FOR A ROBUST SECURITY

ECOSYSTEM
• Single framework – develop once,

Real-time & instead of to multiple APIs
Secure
• Control what & where context is
pxGrid shared among platforms
Context
Sharing • Bi-directional – share and
Single, Pub/Sub consume context at the same
Open time
Framework • Extremely Scalable
• Integrating with Cisco SDN for
broad network control functions
ISE TrustSec
40
Network as a Visibility Sensor
41
NetFlow Analysis Can Help: Data Intelligence
Incident Response
Behavioural Detection Model
As flows are collected, behavioural algorithms are applied to build “Security
Events”. Security Events will add points to an alarm category to allow for easy
summarisation higher degree of confidence of the type of activity detected:
Security Alarm
Response
Events (94 +) Category
Addr_Scan/tcp
Addr_Scan/udp Concern Alarm Table
Bad_Flag_ACK**
Beaconing Host
Bot Command Control
Recon
Server
Bot Infected Host -
Host
Attempted
Bot Infected Host - C&C Snapshot
Successful
Flow_Denied
. Exploitation Email
.
ICMP Flood
.
Data Hoarding Syslog /
.
Max Flows Initiated
Max Flows Served SIEM
. Exfiltration
Suspect Long Flow
Suspect UDP Activity
Mitigation
SYN Flood DDoS Target
.
Cyber Threat Defence (CTD) Solution
Threat Detection
Advanced Visibility & Investigation
Switches Visibility
NetFlow • Partner with Lancope (StealthWatch) to deliver network visibility, security context
Routers and intelligence.
• Enhance with Identity, device, application awareness
Firewall
Reducing Complexity and Increasing
Capability
45
Visibility is the Foundation
Breach Understand scope, contain & remediate
Workflow (automation) Engine

Focus on the threat – security is about detecting,
Threat understanding, and stopping threats
APIs
Control Set policy to reduce surface area of attack
Visibility Broad awareness for context
Visibility Must Be Pervasive
BEFORE DURING AFTER
Scope AMP
Breach Contain
Remediate
ThreatGRID

CTA
NGIPS
Detect
Threat Block
Defend
ESA/WSA
Reputation
APIs
ASA Meraki
Control
Control Enforce
Harden
NGFW ISE
VPN NAC
Discover Network / Devices (FireSIGHT/PXGrid/CTD)

Monitor
Visibility Inventory
Users / Applications (FireSIGHT/PXGrid/ISE/CTD)
Map Files / Data (FireSIGHT/AMP)
Today’s Security Appliances
WWW
Context-
VPN Aware IPS
Traditional Functions Functions Malware
Functions
Firewall Functions
Functions
We must integrate more effectively to make
more effective security solutions
49
Two Kinds of Integration
• Front-end integration
– Most security technologies have information about the environment that they are
defending but do not share it
– Build a Visibility Architecture to collect information about the composition, configuration
and change in the environment being defended
• Back-end integration
– Collect and centralise information about what’s happening to the environment and try to
figure out what is happening
– Traditional integration model
50
Building a Visibility Architecture
• Why?
– Automation
– Contextualisation
– Anomaly Detection
– Event-driven Security
• What visibility is important?
51
Types of Visibility
• Asset/Network • File/Data/Process
– Network topology – Motion
– Asset profiles – Execution
• Address – Metadata
• Hardware platform/class
– Origination
• Operating System
• Open Ports/Services – Parent
• Vendor/Version of client or server
software • Security
• Attributes – Point-in-time events
– Vulnerabilities – Telemetry
– Retrospection
• User
– Location
– Access profile
– Behaviours
52
Platform Exchange Grid – pxGrid
I have reputation info!
I have application info!
I need threat data… Talos
I need location & auth-group…
I have sec events!

I have NBAR info!
I need reputation…
I need identity…
pxGrid Context
Sharing I have location!
I have NetFlow!
I need entitlement…
That Didn’t I need identity…
Single Framework
Work So
Well!
Direct, Secured
Interfaces I have MDM info!
I need location…
I have threat data!
I need reputation…
I have app inventory info!

I need posture…
I have firewall logs!

I need identity… I have identity & device-type!
I need app inventory & vulnerability…
Cisco FireSIGHT Context Collection Platform
IPS Events SI Events Malware Events
Malware Backdoors Connections Malware Detections

Exploit Kits to Known CnC IPs Office/PDF/Java Compromises
Web App Attacks Malware Executions
CnC Connections Dropper Infections
Admin Privilege Escalations
Cisco FireSIGHT Fuels Automation
Impact Assessment and Recommended Rules Automate Routine Tasks
Impact Assessment IMPACT
FLAG
ADMINISTRATOR
ACTION
WHY
Act Immediately, Event corresponds to

Vulnerable vulnerability mapped
Correlates all intrusion events to an impact to host
of the attack against the target
Investigate, Relevant port open or
Potentially protocol in use, but
Vulnerable no vuln mapped
Good to Know, Relevant port not

Currently Not open or protocol not
Vulnerable in use
Good to Know, Monitored network,

Unknown Target but unknown host
Good to Know, Unmonitored network

Unknown Network
FireSIGHT Brings Visibility
TYPICAL TYPICAL
CATEGORIES EXAMPLES Cisco FireSIGHT IPS NGFW
Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security ✔ ✗ ✗
Intelligence
Client Applications Firefox, IE, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Cisco, Avaya, Polycom ✔ ✗ ✗
BRKSEC-2061 ©Virtual Machines
2015 Cisco VMware,
and/or its affiliates. All rights reserved. Xen,
Cisco Public RHEV ✔ ✗ ✗
OpenAppID – First OSS Application and Control
• OpenAppID Language Documentation
o Accelerate the identification and protection for new
cloud-delivered applications
• Special Snort engine with OpenAppID preprocessor
o Detect apps on network
o Report usage stats
o Block apps by policy
o Snort rule language extensions to enable app
specification
Available now at Snort.org
o Append ‘App Name’ to IPS events
• Library of Open App ID Detectors
o Over 1000 new detectors to use with Snort
preprocessor
o Extendable sample detectors
The Event Horizon Problem
• Point-in-time
– Events generated as they’re
discovered
– Discovery (detection) failure =
false negative
– Brittle.
• Continuous (Telemetry)
– Specific event types are
continuously recorded and
analysed
– Structural (signatures)
– Behavioural (activities)
59
The Event Horizon
X
Firewall
X
IDS/IPS
X
AMD
X
Antivirus
‘Event Horizon’
Device
Beyond The Event Horizon
• Continuous Capability is needed for the
world in which you will be
compromised
– Streaming telemetry
– Continuous analysis
– Real-time and retrospective security with
the full spectrum of controls available at
any time
61
The Threat-Centric Model
Breach Understand scope, contain & remediate

Focus on the threat – security is about detecting,
Threat understanding, and stopping threats
APIs
Control Set policy to reduce surface area of attack
Visibility Broad awareness for context
Visibility Layer Concept
RNA & RUA AD 3rd Party
ISE AnyConnect
RUA Connector Context Src
PXGrid API
Network Map Host Input API
Control
Auto-Config Impact Policy & APIC
Layer
(R3) Assessment Response Engine
Remediation 3rd Party

FireSIGHT API Apps
Security
Platforms
63
Control
• Control is about defining & managing the
interactions between users, applications,
devices, and data
• Access control & segmentation
• Policy enforcement
• Asset hardening & management
• User management
64
Control Layer Concept
Mobile Endpoint Endpoint Endpoint Endpoint
Endpoint +
Device +
AnyConnect
VPN
User Environment
ISE
Route/S
APIC FireSIGHT
witch
ASA/VP
N
Server Hypervisor Hypervisor Hypervisor
Policy Enforcement Directives

Data Centre Environment
Network Traffic
Threat and Breach
• Detection & Response are critical functions today
• Being able to detect in a “relevant timeframe”
• Timeframe of response
– “The Golden Hour”
66
Integrated Threat Defence Architecture Concept
Cognitive
CSI
Endpoint +
AnyConnect
Threat
Environment
Endpoint Endpoint Endpoint
NGIPS
Mobile device
& AnyConnect User Environment
Control ESA
Layer
Hyperviso Hyperviso
CWS WSA
Server r r
Data Centre Environment
Raw/Uninspected Traffic Visibility

APIC / ISE FireSIGHT
Layer
Telemetry/Eventing/Mgmt
Streaming Telemetry
Inspected Traffic
Integrated Threat Defence Architecture Concept
Cognitive
CSI
Endpoint +
AMP & Threat
AnyConnect
Environment Endpoint Endpoint Endpoint
NGIPS + AMP + AMP + AMP + AMP
Mobile device
+ AMP & User Environment
AnyConnect Control ESA + AMP
CWS Layer
Server + Hyperviso Hyperviso
+ WSA + AMP AMP r + AMP r + AMP
AMP Data Centre Environment
Raw/Uninspected Traffic Visibility

APIC / ISE FireSIGHT
Layer
Telemetry/Eventing/Mgmt
Streaming Telemetry
Inspected Traffic
Challenges
• None of this works if everything has to be there for any of it to work
• Each product must stand alone as the best in its class
• When Cisco products are brought together they gain capability through
leveraging each other’s visibility and control mechanisms
Our fundamental job is to reduce

complexity and increase capability
69
Reduce Complexity and Increase Capability
Collective Security Intelligence
Centralised Management
Appliances, Virtual
Network Control Device Control Cloud Services

Platform Platform Control Platform
Appliances, Virtual Host, Mobile, Virtual Hosted
Collective Security Intelligence
Malware Reputation
Protection Feeds
Cisco Talos
(Talos Security Vulnerability
IPS Rules
Intelligence and Database Updates
Research Group)
Sandboxing
Machine Learning
Big Data Infrastructure
Private and File Samples

FireAMP™ Sourcefire AEGIS™
Public Sandnets (>1.1 Million per Honeypots
Community Program
Threat Feeds Day)
Advanced Microsoft Snort and ClamAV

and Industry SPARK Program Open Source
Disclosures Communities
It Takes an Architecture
72
Start with Best-of-breed Products
Source: Independent Competitive Testing done by NSS Labs
Working Together to Create a Security Architecture
Malware Prevention / Context-aware Common Identity, Policy
Sandboxing Segmentation and Context Sharing Wired/Wireless and VPN
Cisco Cisco
Cisco AMP Cisco Identity
100I II0I III00II 0II00II I0I000 0II0 00Network
TrustSec Services
101000 0II0 00 0III000 III0I00II II II0000I II0 Integration
10I000 0II0 00 0III000 II1010011 101 1100001 110
Cisco Collective
10I000 0II0 00 0III000 II1010011110000III000III0
101 1100001 110I00I II0I III0011 0110011 101000 0110 00
ISE Security Intelligence
Pervasive & Integrated

Context Across the Portfolio Visibility
Cisco Cisco Web &

Cisco ASA
w/FirePOWER NGIPS Email Security Cisco AMP Client
Superior Intelligence to Battle Advanced Threats
Cisco® I00I III0I III00II 0II00II I0I000 0110 00 Sourcefire

100I II0I III00II 0II00II I0I000 0II0 00
10I000 0II0 00 0III000 II1010011 101 Talos

101000 0II0 00 0III000 III0I00II II II0000I II0
1100001 110
SIO 110000III000III0 I00I II0I III0011 0110011
Cisco Collective
101000 0110 00
VRT®
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
Security Intelligence
180,000+ File Samples per Day

1.6 million 35%
global sensors w orldwide email traffic FireAMP™ Community, 3+ million
Advanced Microsoft
100 TB 13 billion and Industry Disclosures
of data received per day w eb requests
Snort and ClamAV Open Source Communities
150 million+ 24x7x365 WWW
deployed endpoints operations Honeypots
Email AMP Web Netw ork NGIPS NGFW Sourcefire AEGIS™ Program
600+ 40+
engineers, technicians,
and researchers
languages Pervasive across Portfolio Private and Public Threat Feeds
Dynamic Analysis
Enhance with Cisco Security Services
Advisory Integration Managed
Custom Threat Integration Managed Threat

Intelligence Services Defence
Technical Security Security Optimisation Remote Managed

Assessments Services Services
Only Cisco Delivers
Unmatched Consistent Advanced Threat Complexity

Visibility Control Protection Reduction
Global Intelligence Consistent Policies Detects and Stops Fits and Adapts
With the Right Across the Advanced Threats to Changing
Context Network and Business Models
Data Centre
Related Sessions
• BRKSEC-1030 - Introduction to the Cisco Sourcefire NGIPS – Gary Spiteri
• BRKSEC-2021 - Firewall Architectures in the Data Centre and Internet Edge - Goran Saradzic
• BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Services – Jeff Fanelli
• BRKSEC-2044 - Building an Enterprise Access Control Architecure Using ISE and TrustSec – Imran
Bashir
• BRKSEC-2664 - Cisco Sourcefire Advanced Malware Protection (AMP) - Jay Tecksingani
• BRKSEC-2690 - Deploying Security Group Tags – Kevin Regan
• BRKSEC-2691 - Identity Based Networking: IEEE 802.1X and Beyond – Hari Prasad Holla
• BRKSEC-2902 - Embrace Cloud Web Security With Your Cisco Network – Hideyuki Kobayashi
• BRKSEC-3770 - Advanced Email Security with ESA – Joe Montes
• BRKSEC-3771 - Web Security Deployment with WSA – ChooKai Kang
78
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
79
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live

Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue Learn online with Cisco Live!
Visit us online after the conference for full
T-Shirts can be collected in the World of Solutions access to session videos and
on Friday 20 March 12:00pm - 2:00pm presentations. www.CiscoLiveAPAC.com
Thank you.
Session Abstract
BRKSEC-2061: Cisco + SourceFire: Threat-Centric Security Approach
Jatin Sachdeva, Security Architect, Cisco ANZ
To truly protect against all possible attack vectors, IT professionals must accept the nature
of modern networked environments and devices and start defending them by thinking like
defenders responsible for securing their infrastructure. Critical to accomplishing this is first
understanding the modern threat landscape and how a threat-centric approach to security
can increase the effectiveness of threat prevention. This technical session will provide a
"how to" with the Cisco Security portfolio, provide an update on the Cisco and Sourcefire
security architectures and integrations, and also detail current threats based on research
from Cisco’s Talos Security Intelligence & Research Group. By attending this session,
Security, Network and IT architects, will benefit from learning approaches that protect their
environments across the attack continuum - before, during and after an attack.

BRKSEC-2061 Cisco + SourceFire Threat-Centric Security Approach

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

BRKSEC-2061 Cisco + SourceFire Threat-Centric Security Approach

Загружено:

Авторское право:

Доступные форматы

Cisco + SourceFire: Threat-Centric

Jatin Sachdeva (CISSP, CISA, CEH, GWAPT, GSEC, SFCE)

have connections to domains that are known

Clickfraud and Adware

2015 Cisco Annual SecurityReport

START HOURS MONTHS YEARS

Patching and configuration as defence 38%

Quarantine malicious applications 55%

2015 Cisco Annual SecurityReport

BEFORE DURING AFTER

Firewall Patch Mgmt IPS IDS AMD

App Control Vuln Mgmt Anti-Virus FPC Log Mgmt

VPN IAM/NAC Email/Web Forensics SIEM

Visibility and Context

BEFORE DURING AFTER

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

BEFORE DURING AFTER

ASA VPN NGIPS Advanced Malware Protection

NGFW Meraki ESA/WSA Cognitive

Secure Access + Identity Services CWS ThreatGRID

FireSIGHT, CTD & PXGrid

BEFORE DURING AFTER

• Best-of-Breed NGIPS for • Class-leading advanced • Only threat-focused NGFW to

Common NGIPS and AMP code base

Cisco Collective Security Intelligence Enabled

Network Firewall Built-in Network Identity-Policy Control

Cisco FireSIGHT Management Automates Operations

• Efficient Multi-Scan • Class-leading Anti-malware • Safeguards every device,

Flexible Deployment Client Appliance Virtual Cloud

Known File Unknown files are

Cloud Powered Zero-Hour Telemetry Based Zero-Hour

• Average Cisco lead time: <60mins

Advanced Malware Protection Outbreak Filters in Action

Cloud Powered Zero-Hour Zero-Hour Virus

Email Contains URL

Replace “This URL is blocked by policy”

Automated with Outbreak Filters or Manual

Verizon DBIR 2014: Recommended Controls

Identity Services Engine TrustSec AnyConnect Secure Mobility

• Centralised Policy Management • Provides dynamic network • Universal Security Client

• Device Profiling & Posture

Common Identity and Context

Flexible Deployment Appliance Virtual Cloud

Device Type: Apple Mac

• Consistent policy assignment regardless of • Differentiated Network Access based on Context

AD INFRASTRUCTURE FOR A ROBUST SECURITY

• Single framework – develop once,

Breach Understand scope, contain & remediate

Workflow (automation) Engine

Visibility Broad awareness for context

Workflow (automation) Engine

Discover Network / Devices (FireSIGHT/PXGrid/CTD)

I have sec events!

I have app inventory info!

I have firewall logs!

IPS Events SI Events Malware Events

Malware Backdoors Connections Malware Detections

Act Immediately, Event corresponds to

Good to Know, Relevant port not

Good to Know, Monitored network,

Good to Know, Unmonitored network

Threats Attacks, Anomalies ✔ ✔ ✔

Breach Understand scope, contain & remediate