Professional Documents
Culture Documents
Dragan Novaković
Cisco Systems
ASA “Adaptive Security Appliance”
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Sourcefire – Next Generation security
• Firepower Next Generation IPS
• Best of breed IPS
• Based on open source Snort
• Integrated Advanced Malware Protection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
ASA with FirePOWER Services
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Firepower Threat Defense
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Network Application Automation
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling
Profiling Policy Control
Control
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Platforms & Capabilities
Cisco Firepower NGFW Product Family
Running Firepower Threat Defense (FTD) or Firepower services
Firepower 9300
(SM-24, SM-36, SM-44)
Performance and Scalability
FTDv
SMB & Distributed Enterprise Commercial & Enterprise Data Center, High Performance Computing, Service
Provider
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco NGFW Platforms
Firepower Threat Defense for Firepower Services Firepower 4100 Series
ASA 5500-X on ASA 5500-X and 5585-X and Firepower 9300
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
A complete Unified Threat Management solution
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS, Anti-
Malware, Geo-Firewall
Networking
NAT/DHCP, 3G/4G Cellular,
Intelligent WAN (IWAN)
Application Control
Web Caching, Traffic
Shaping, Content Filtering
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why customers choose the Cisco Meraki MX
Intuitive centralized management
• No training, no command line
• Templates to configure at-scale
• Packet capture, built-in tools and
diagnostics
Industry-leading visibility
• Fingerprints users, applications, and devices
• Network-wide monitoring and alerts
• Full stack: APs, switches, Security, MDM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 9300
Platform
High-speed, scalable security
Multiservice
Modular Carrier Class
Security
Benefits Benefits Benefits
• Standards and interoperability • Integration of best-in-class security • Industry-leading performance:
• Flexible architecture • Dynamic service stitching • 600% higher performance
• 30% higher port density
Features Features*
• Template-driven security • Cisco® ASA container Features
• Secure containerization for • Cisco Firepower™ Threat Defense • Compact, 3RU form factor
customer apps containers: • 10-Gbps/40-Gbps/100-Gbps I/O;
• RESTful/JSON API • NGIPS, AMP, URL, AVC • Terabit backplane
• Third-party orchestration and • Third-party containers: • Low latency, intelligent fast path
management • Radware DDoS • Network Equipment-Building
• Other ecosystem partners System (NEBS) ready
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower 9300 Overview
Supervisor Network Modules
• Application deployment and orchestration • 10GE/40GE/100GE
• Network attachment and traffic distribution • Hardware bypass for inline NGIPS
• Clustering base layer for ASA/FTD
3RU
Security Modules
• Embedded Smart NIC and crypto hardware
• Cisco (ASA, FTD) and third-party (Radware DDoS) applications
• Standalone or clustered within and across chassis
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Supervisor Simplified Hardware Diagram
System Bus
Security Security Security
Module 1 Module 2 Module 3
RAM
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Module Simplified Diagram
System Bus
RAM
256GB x86 CPU 1 x86 CPU 2
24 or 36 or 44 24 or 36 or 44
Ethernet
cores cores
2x100Gbps
2x40Gbps
Backplane Supervisor Connection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Firepower 4100 Series
Introducing four new high-performance models
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower 4100 Architecture
RAM
4110: 64Gb x86 CPU 1 x86 CPU 2
4120: 128Gb 4110: 12 cores 4110: N/A System Bus
4140: 256Gb 4120: 12 cores 4120: 12 cores
4150: 256Gb 4140: 36 cores 4140: 36 cores
4150: 44 cores 4150: 44 cores RAM
4110: 1x100Gbps Ethernet
4120-4150: 2x100Gbps
Smart NIC and
Crypto Accelerator
4110: 1x40Gbps
4120-4150: 2x40Gbps
Internal Switch Fabric
x86 CPU
(up to 18x40GE)
2x40Gbps 5x40Gbps 5x40Gbps
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mix and Match Interface Modes
Routed or Transparent
A F Interfaces
Policy Tables
Passive
B G
Inline Pair 1
C H
Inline Set
Inline Pair 2
D I
Inline Tap
E J
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco Firepower and ASA NGFW
Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Management Center
Nice and useful features
Easily manage NGFWs across multiple sites
Firepower Management Center
Manage across many sites Control access and set policies Investigate incidents Prioritize response
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detection Capabilities
Talos Collective
Security Intelligence
Application Definitions, App Detectors AppID Server, Client and Web Apps
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Context comes from knowing the hosts on your network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Impact Assessment - Identify Where to Start
Goal:
1. What needs to be fixed now!
2. Have enough data to know what
can be prevented in the future.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
What too many networks look like
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Drilling into the IOC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Digging into the IOC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Looks like Kim
Ralls has a lot
going on her
Windows host.
✔
✔
✔
✔
Events from multiple
sources:
• IPS Engine
• File Protection
• AMP for Networks
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• .145 Tried to send the file 5 times
• .145 was sent the file once
• IPS blocked it! (yeah)
• What does Impact 4 mean?
• Should we investigate more?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Did you forget
about these?
✔
✔
✔
✔
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Yep. That file is
malware
We see it in the
malware
summary, too.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
• A lot more than the 6
file transfers and hosts
the IPS engine
stopped.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Security Automation is more than just Operations
Reporting
Correlation Rules
Remediation API
Analytics Operations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Recommended Rules – How it works
SID: 33306
BLACKLIST: Connection to
a malware sinkhole.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Correlation Rules
Correlation Rules / Correlation Policy
100,000 events Correlation Rules allow for BOOLEAN
decisions on one or more sets of data
Value: within the FireSIGHT console.
• Automate Security Decisions
5,000 events Rules can then lead to Actions such
as: Email, Syslog, SNMP events or
• Track Business Outcome 500 events remediation actions.
• Trigger Automated Response to
100 events
Correlation Policy
specific conditions Correlation Correlation
20 events Rule Event
Correlation
Action
Rule
10 events
Email
Syslog
SNMP
Remediation Module
3 Events
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Correlating Event Data
Flow and connection conditions Data from User Table (name,
group info, etc) Data from Host Profiles
over time or volume.
When a…
Intrusion Event ✔ ✔ ✔
Discovery Event ✔ ✔ ✔
Connection Event ✔ ✔ ✔
Host Input Event ✔ ✔ ✔
User Activity Occurs ✔ ✔
Traffic Profile Changes
Malware Event
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Correlation Rules – Leveraging Host Attributes
Host Attributes:
• Localization of Host
Profile information
• Multiple Data Types
• Can be modified via
FMC or Host Input API
• Can be leveraged in
Correlation Rules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Enable automated scanning of new hosts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Action example:
NMAP Scan
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rule – Putting it together
Condition Action
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rule – A new IP pops UP in the management ZONE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building a Correlation Rule
Correlation Rule to:
• Ensure only HTTPS traffic is
used on port 443
• Ensure traffic is initiated by a
Host with a defined Location
(host Attribute) is POS
• Ensure the HTTPS traffic
from the POS host is received
on hosts in the PCI network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Correlation Rule example: Production Network Change
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Remediation
Automating Response – Remediation API
Boolean
Intrusion Events Correlation Rules
Conditios
Discovery Events
User Activity
Host Inputs
Connection Events Correlation Policies
Traffic Profiles
Malware Event Actions
Correlation Rules Correlation Events
(API, Email, SNMP)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
ISE + Firepower = Rapid Threat Containment
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Reporting
Default Reports
§ Not just what’s in the templates
§ Dashboard widgets have almost 120
preset reports
§ Customizing Widgets means thousands
of reporting options.
§ Think of the Dashboard as your report
designer.
§ Tools:
§ Searches
§ Custom Workflows
§ Custom Tables = Data goldmine
BRKSEC-2058 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Customize The Dashboard
BRKSEC-2058 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Customize The Dashboard
This is your
most powerful
widget
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Dashboards That Meet Your Needs Threat Focused
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dashboards That Meet Your Needs Network Focused
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Build Reports Straight from the Dashboard
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Risk Reports
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
Dragan Novaković
Cisco Systems
dnovakov@cisco.com