Embed Size (px)
Citation preview
Threat-Centric Security with FirePOWER
Threat-Centric Security with FirePOWER
Håkan Nohre, CISSP Consulting Systems Engineer
Cisco Connect 2015
Demo:
§ John surfs the net with unpatched Adobe Flash Player - Vulnerability from May 2014
§ John lured to Browser Exploit Site § John's PC owned by controller (Command and Control)
Browser Exploit Site
Controller
John's PC
Cisco Connect 2015
The Kill Chain Recon
Attack Delivery
Exploitation
Persistence
C&C
Lateral Movement
Steal Data
https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12-Flynn-intrusion-along-the-kill-chain-WP.pdf
What if we could detect and correlate
Cisco Connect 2015
Security Model
BEFORE Detect Block
Defend
DURING AFTER Control Enforce Harden
Scope Contain
Remediate
Attack Continuum
Point in time Continuous
Visibility and Automation
Cisco Connect 2015
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
01000 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
The Problem with Legacy Next-Generation Firewalls Focus on Application Visibility and Control
But miss the threat… and do not provide visibility
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
01000 01000111 0100 1110101001 1101 111 0011 0
100 0111100 011 1010011101 1
01000 01000111 0100 111001 1001 11 111 0
Cisco Connect 2015
Cisco ASA with FirePOWER Services Industry’s First Adaptive, Threat-Focused NGFW
World’s most widely deployed, enterprise-
class ASA stateful firewall
Identity-Policy Control
& VPN
Best in class high availability with
clustering Integrated Threat defense across the attack continuum
Unmatched visibility and automation with
FireSIGHT management Threat focused – Industry-leading next-generation IPS (NGIPS)
Advanced Malware Protection
URL Filtering
Cisco Connect 2015
ASA High 5585-X
ASA Midrange
5512-5555-X
FirePOWER Software module – *requires SSD disc FirePOWER Hardware module FirePOWER Services supported by default
ASA for SMB
5506-X
ASA with FirePOWER Services
Cisco Connect 2015
FirePOWER Platforms IP
S P
erfo
rman
ce a
nd S
cala
bilit
y
Data Center Campus Branch Office SOHO Internet Edge
FirePOWER 7100 Series 500 Mbps – 1 Gbps
FirePOWER 7120/7125/8120 1 Gbps - 2 Gbps
FirePOWER 8100/8200 2 Gbps - 10 Gbps
FirePOWER 8200 Series 10 Gbps – 40 Gbps
FirePOWER 7000 Series 50 Mbps – 250 Mbps
From 50Mbps to 60Gbps Modularity in 8000 Series Fixed Connectivity in 7000 Series Mixed SFPs in 7100 Series Configuration Fail-Open & Fail-Close across all Scalable 8000 Series Runs NGIPS, AMP and App Control in the same chassis
Cisco Connect 2015
ASA FirePOWER Services Management NetOPS Workflows - CSM 4.6/7 or ASDM-ASA-On-Box 1
SecOPS Workflows -FireSIGHT Management Center 2
NGFW/NGIPS Management
Forensics / Log Management
Network AMP / Trajectory
Vulnerability Management
Incident Control System
Adaptive Security Policy
Retrospective Analysis
Correlated SIEM Eventing
Network-Wide / Client Visibility
Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines
CSM or ASDM
FireSIGHT
Cisco Connect 2015
Visibility: FireSIGHT Discovers
Host 10.1.19.4
OS
User
Apps
Vulnerabilities
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
john
§ ...automatically § Hosts, OS, Logged in Users,
Applications, Vulnerabilities
§ Gives much more than just Application Visibility and Control (AVC)
Cisco Connect 2015
Visibility: FireSIGHT Discovers Users
Host 10.1.19.4
OS
User
Apps
Vulnerabilities
john
§ User Agent installed on
Windows machine
§ Reads Active Directory logon and logoff events
§ Informs FireSIGHT
Active Directory User
Agent
john
log on
Cisco Connect 2015
Future: Discovering Identities for Other Devices Host 10.1.19.4
OS
User
Apps
Vulnerabilities
§ Device authenticates to network
(802.1X)
§ Cisco ISE shares info with pxGrid
§ Works even if device is not in Active Directory
I S E
john
pxGrid
Future – Roadmaps are Subject to Change
Cisco Connect 2015
FirePOWER™ Services: NGIPS
§ IPS Engine based on Open Source Snort ™ § Best Threat Effectiveness § Best Value (lowest TCO/protected Mbps) § Subscription License
IPS
IPS
OpenAppID
Cisco Connect 2015
Visibility : Reduce Workload & Improve Performance
§ FireSIGHT recommends IPS tuning § Reduces Workload
§ Improves Performance
Adapt IPS tuning to environment
IPS
Reduced Risk and Cost
Cisco Connect 2015
Visibility : Reduced Workload and Risk
Host 192.168.3.1
OS
User
Apps
Vulnerabilities
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
john
§ Increased IPS efficacy § Focus on Relevant Alerts
Act Immediately Vulnerable
IPS
Cisco Connect 2015
Correlates all intrusion events to an impact of the attack against the target
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
Cisco FireSIGHT Simplifies Operations It tells you which alerts are the most important!
IPS
Cisco Connect 2015
Security Intelligence: Reputation Based Filters
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
§ Detects communication to known CnCs, Malware Sites § Complements Signature based detections
IPS
Reduced Risk
ALERT! John tried to connect to known CnC
Cisco Connect 2015
3rd Party Validation IPS
Top Ratings (8260)*
§ 98.9% detection & protection
§ 34Gbps inspected throughput
§ 60M concurrent connections
§ $15 TCO / protected Mbps
IPS
Cisco Connect 2015
AMP – Advanced Malware Protection
§ Analyses files to block and detect malware § Cloud based lookup of File Reputation § Cloud based Dynamic Analysis with Sandboxing § Retrospective Security
§ Subscription License
AMP
AMP
Cisco Connect 2015
The Value of Retrospective Security
• If a malicious file slips through the Anti-Malware controls...
• ...because it was a new malware
AMP
Cisco Connect 2015
The Value of Retrospection
• If a malicious file slips through the Anti-Malware controls...
• ...because it was a new malware • And the next day when the
malware is known... • Wouldn't you want to know - Who downloaded it? - Where has it spread?
AMP
Reduced Risk and Cost
Cisco Connect 2015
AMP in Action: Known Bad File
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
§ File look-up returns "malware" § File dropped immediately
AMP
AMP Cloud
File Lookup =Malware
Cisco Connect 2015
AMP in Action: Retrospective Security
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
§ File look-up returns "Unknown" § File is allowed
AMP
AMP Cloud
File Lookup =Unknown
Cisco Connect 2015
AMP in Action: Retrospective Security
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
§ File is later classified as malware - sandboxing - machine learning - intelligence community
§ Alert on who downloaded the file
§ Visibility and Containment
AMP
AMP Cloud
Reduced Risk and Cost
ALERT!catfood.pdf
downloaded by [email protected]
is malware
Cisco Connect 2015
FireSIGHT : Indications of Compromise
• FireSIGHT Indications of Compromise identifies hacked clients • Based on IPS alerts, Malware events, Communications with known Botnet
Controllers • Quick and Easy to Identify Hacked Clients
AMP
IPS
Reduced Risk and Cost
Cisco Connect 2015
FireSIGHT : Detecting Anomalies
• Detects if new application appears or traffic profile changes • Identify Hacked Hosts • Useful in static environments: Scada, DMZ, MEDTEC...
Reduced Risk and Cost ALERT Host has suddenly started to use SSH client and outgoing traffic volume has
increased by 3 ssh
Cisco Connect 2015
FireSIGHT : Automated Responses
• Use pre-defined or custom script to initiate automatic actions • E.g, Quarantine device with ISE API
Reduced Risk and Cost
Indications Of Compromise - IPS event impact 1 - Malware - Communication with BOTNET QUARANTINE
I S E
change VLAN or
SGT
Cisco Connect 2015
FireSIGHT : Integrate with 3rd Party through open APIs
eStreamer API Export Events
Vulnerability API Import
Vulnerabilities
Remediation Modules
I S E
Cisco Connect 2015
FirePOWER Services: URL Filtering
§ Block (or warn) non-business-related sites by category § Based on user and user group § Subscription Based License
URL
Employee Productivity
Cisco Connect 2015
FireSIGHT : Reporting
§ Extensive reporting § Highly customizable templates
§ Scheduled Reports
Management Visibility
Cisco Connect 2015
John, the CFO.
Cat Friend. Owned.
John's PC compromised
... HOW, WHEN, WHO ELSE?
Cisco Connect 2015
A Note on this Demo
ASA FirePOWER would have blocked all attacks by default Set to "no block" to illustrate visibility of compromised system No security system will catch everything
Retrospective Visibility Matters!
Cisco Connect 2015
John, the CFO.
Cat Friend. Owned.
I know WHO, HOW, WHEN, WHO ELSE,
WHAT FILES... but what's the name of
the cat?
Cisco Connect 2015
The Kill Chain Recon
Attack Delivery
Exploitation
Persistence
C&C
Lateral Movement
Steal Data
https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12-Flynn-intrusion-along-the-kill-chain-WP.pdf
What if we could detect, correlate and take action
Cisco Connect 2015
Summary
• ASA with FirePOWER Services is industry’s first threat focused NGFW • Threat defense with IPS, AMP and URL • Unprecedented visibility with FireSIGHT management
