AMP for Networks/FirePOWER v5 AMP for Networks/FirePOWER v5.4 Feature Deep Dive + New AMP for Networks Appliances Hi Everyone my name is John Dominguez, I’m the product marketing manager for AMP. And we also have Joseph O’Laughlin, the product marketing manager for the FirePOWER NGIPS suite of products. Thanks for joining this session to learn about the new features coming with the AMP for Networks and FirePOWER version 5.4.. And we’ll also take a few minutes to talk about the new AMP for Networks appliances We also have a few experts also on the call: Sean Newman, product manager for NGIPS and Jon DeLong, product manager for the AMP appliances and hardware. They’ll be available after the presentation to answer questions, and also answer questions on the Q&A during the presentation.
Agenda 1 2 New AMP for Networks Appliances Chivas - AMP for Networks and FirePOWER v5.4 New Features So an Agenda for today We’re gonna do a quick run through of the Dedicated AMP for Networks Appliances, the AMP8050 and the AMP 8350 through 8390 And then we’ll dig deep into the new features that are coming with the version 5.4 release for the AMP for Networks product and FirePOWER NGIPS appliances. OK so lets get right into it.
New AMP for Network Dedicated Appliances AMP8050, AMP8350, 8360, 8370, 8390 When? Ready to ship mid-January, but ready to quote and pre-order NOW What is it? New AMP for Network dedicated appliances Different/better performance options for customers AMP for Networks appliances are a specialized subset of FirePOWER appliances. Dedicated AMP for Networks appliances are optimized to provide higher AMP-related performance and storage requirements. Description The Cisco AMP for Networks Dedicated Appliances were built specifically to be paired with the AMP for Networks service subscriptions. They give you all the benefits offered in the Cisco AMP for Networks solution on appliance models that are optimized to provide higher AMP-related performance and storage requirements, and to meet the specific needs of customers looking for increased security effectiveness in high-demand environments. So AMP for Network Dedicated Appliances. When I say dedicated appliances, I’m talking about the current FirePOWER IPS appliances that are dedicated to running AMP for Networks. So you can deploy Cisco AMP for Networks on any Cisco FirePOWER security appliance. However, the Cisco AMP dedicated appliances, the current ones being the AMP7150 and AMP8150, let you deploy Amp for Networks on appliance models that offer dedicated processing power and storage to meet specific goals in demanding environments. Now we have 5 more AMP for networks dedicated appliances being released. We’re offering new levels of performance with these 5 new models, the AMP8050, AMP 8350, AMP8360, AMP 8370 and AMP8390. These models span the range of performance and throughput. We’ll take a quick peak at the actual performance on the next slide, but in short, these were created to meet the customer need for a higher performing appliance and to meet specific customer goals in demanding environments. So When is it available? These are ready to ship by mid January, BUT they are ready to pre-order and quote right now. In a few slides I’ll review how to order them and provide some selling resources as well.
New AMP for Network Dedicated Appliances AMP8050, AMP8350-8390 A quick view of the specs. We’re offering different levels of performance to the customer. For instance, when you look at AMP and IPS throughput numbers, we can now offer a range of throughput from 500 Mega bits per second with the 7150 all the way to 20 Giga bits per second with the 8390. A full list of these specifications will be available on an internal FAQ and a spec sheet that you can use to share with customers. These specs will also be added to the AMP for Networks data sheet, and that will be posted publicly online in Mid January.
How to Order / Sales Resources Ordering The best and easiest way to order an AMP for Networks 1- or 3-year subscription plus an AMP for Networks Dedicated Appliance optimized for AMP performance is to select one of the bundle product IDs on CCW. This automatically selects both the appliance chassis and subscription ID for you, and allows you to then specify your subscription term (1 or 3 years) and service license type ( AMP and Apps OR AMP, Apps, and URL). Resources Reference the announcement sent from Debbie Daly on Tuesday night, December 16th Spec Sheet for customers includes performance specifications for each appliances Internal Sales FAQ for you includes details on how to order, bundle part numbers, full list of product specifications, and answers to other questions So how do you order one of these…. well the best and easiest way to order an AMP for Networks Dedicated Appliance PLUS an AMP for Networks 1- or 3-year subscription is to select one of the bundle product IDs on CCW. This automatically selects both the appliance chassis and subscription ID for you, and allows you to then specify your subscription term (1 or 3 years) and service license type ( AMP and Apps OR AMP, Apps, and URL). So where can you find these bundles and other information on how to Order? We have two resources for you: 1 is a spec sheet that is customer facing and includes all of the performance specifications for each appliance, so you can provide this to customers if they want to see which appliance is the best fit for them…. and the next resource is an internal sales FAQ. In this you’ll find details on how to order these appliances and the Amp for Networks subscription that goes with it, a list of those bundle part numbers to make ordering a lot easier, again the full list of product specs, and some answers to other frequently asked questions. SO, that is all I have with regard to the AMP for Network appliances. We’ll take questions at the end regarding these appliances, so if you do have specific questions, please put them in the Q&A chat, or save them for the questions at the end.
Chivas (AMP for Networks/FirePOWER v5.4) Integrated SSL Decryption Archive File Support for advanced malware features (tracking, trajectory, disposition lookup, dynamic analysis) New filetype keyword in the Snort rule language/IPS rules Adobe SWF/Flash PDF Decompression Support Unicode filename support in FireSIGHT Management Center Simplified Normalization Configuration Geolocation and Security Intelligence in correlation rules Extended IOC support from AMP for Endpoints Protected Rule Content Support for AMP Private Cloud Virtual Appliance VMware tools support Support for 10G Virtual interfaces Multiple management ports LACP Link Aggregation Support Inspection Inspecting the Uninspected Detection Simplifying and Improving Platform Flexibility & Bandwidth So next up are the new features as part of the version 5.4 release of AMP for Networks and FirePOWER. These features really fall into 3 big categories: inspection, detection, and platform enhancements. We’re trying to increase our ability to inspect unknown or seemingly good files to see if they’re malicious. Some of these new features will let us more easily root out bad actors. With detection, We’re increasing our detection capabilities, and in doing so, trying to make them more simplified and easier to use. And finally, what we call platform enhancements, in other words, improving the guts of the platform to increase flexibility, increase performance and bandwidth, and provide platform support in different ways to meet the customers needs. And so when will all of these features be available? General Availability is set for February 9th. OK so now, lets dig deeper into these features in each category. When will features be available? GA February 9th
Integrated SSL Decryption Inspection Enhancements Why Decrypt? https:// Encrypted traffic flows create blind spots - Application control either not possible, or can’t be granular - Inspection and detection not possible, or significantly impeded SSL Encryption of web application traffic becoming the new normal - SSL around 25-30% of typical Enterprise web traffic and growing rapidly! - Salesforce, Office 365, Facebook, Twitter, Gmail, etc, etc... Attackers increasingly using SSL encryption to bypass detection - e.g. Zeus encrypted file download and subsequent encrypted data exfiltration OK so we’ll start with the features that fall under the inspection banner, and that starts with Integrated SSL Decryption So… why the need to decrypt? Well because you can’t protect your network from a threat you can’t see. And encrypted traffic flows create blind spots. So without being able to see the encrypted traffic, inspection and detection are out the door. Also, SSL encryption is becoming the norm. It makes up 30% of enterprise traffic and in that traffic could be a lot of malware that needs to be inspected. Attackers are increasingly using SSL encryption to bypass detection.
Integrated SSL Decryption Overview and Benefits Inspection Enhancements So that being said, AMP for Networks and FirePOWER v5.4 now have integrated SSL decription This enables you to identify and decrypt SSL traffic that’s flowing through or past the sensor with multiple deployment modes. If you have the known keys, so if you are protecting a server that you control and manage and you have the encryption keys, you can decrypt that traffic passively or inline using that known key or if you are more concerned with traffic flowing out of your environment, you can perform outbound inline decryption without known keys. So the device can decrypt and re encrypt traffic using a different key set Also, this isnt just for HTTPS, its supports much more And finally, this also gives you the benefit of enforcing certificate policies. So if you’re in a world where you want to block certain types of policies such as self-signed certificates or you’re concerned about specific Cypher suites, you can enforce that policy using the firepower appliance. So it’s a cool functionality. Its enabled on AMP for Networks. One thing to mention on this is that the latest I’ve heard from product management, this functionality is not supported on ASA with FirePOWER services as of yet, hopefully it will on a future release, but this functionalilty is available on your traditional Sourcefire AMP for Networks deployed on a FirePOWER NGIPS.
SSL Decryption Where to Decrypt? Server Client Inspection Enhancements Encrypted Choose external SSL for high-bandwidth and ability to inspect with other solutions, e.g. DLP FirePOWER Decrypted SSL Appliance Use new built-in SSL inspection for simplicity and cost-effectiveness So what would this look like and where does the decryption take place? Well what you would usually need to do is pass traffic through an external SSL appliance to decrypt. But now, you can use the new built in SSL inspection to make your life easier, and for some customers with a pretty manageable traffic load, its cost effective too. No need to buy another separate SSL appliance, you can just pass it right through the FirePOWER device. Now granted, if you are an enterprise customer dealing with a massive amount of traffic, you’d probably still want to go with an external SSL decryption that can handle the traffic and not overwhelm the FirePower appliance, but that all depends on the customer and the amount of traffic they are seeing. Encrypted Client
Integrated SSL Decryption Inspection Enhancements Platforms & Performance SSL available on FirePOWER Series 3 physical appliances Hardware accelerated PKI, hence no virtual support FirePOWER Services SSL not supported until v6.0 Decrypting 50% SSL traffic typically reduces inspected throughput by ~80% FirePOWER 8k (except 8140) - throughput reduced by ~80% decrypting 50% SSL traffic PKI & AES accelerated in hardware FirePOWER 7k & 8140 - throughput reduced by ~90% decrypting 50% SSL traffic PKI only accelerated in hardware So with regard to that performance, what are we talking about here. Well at the end of the day, decrypting 50% of SSl traffic usually reduces inspection throughput by 80%. That’s with an 8K. With a 7K and an 8140, we’re looking at throughput reduced by 90% when decrypting 50% SSL traffic. So again, this will need to be a judgement call for the customer as to whether or not they want to utilize that SSL decryption capability given the amount of encrypted traffic they encounter. when you cover SSL performance - think it important to remind 1) performance hit occurs to all vendors 2) we will model other traffic mix levels 3) we still sell standalone offers for heavy encrypted traffic situations
File-type Pre-Processor Inspection Enhancements Overview Key Benefit: Simple and more reliable detection of known file types Enables use in IPS rules and other detection engines File identification previously performed within the Snort language: E.g. FILE-IDENTIFY rules - flowbits: <filetype> File type and version can now be specified in a rule Groups of file types can also be created E.g: Detect “Bad” in any EXE or, PDF v1.0, v1.1, v1.4 & v1.6 files OK next up is filetype pre-processor. So a new filetype keyword in the snort rule language means that they’ve enhanced the Snort language with a new preprocess that delivers file type knowledge INSIDE the snort rules…. so basically, that will be beneficial for anyone who writes their own snort rules, and they can improve their detection by leveraging the filetype keywords So before, file ID had to be performed within the snort language…. Now, file type and version can be specified in a rule itself. alert tcp any any -> any any (msg: “Bad”; \ <SNIP> file_type: MSEXE | PDF,1.0,1.1,1.4,1.6;
Archive File Support Overview and Benefits Inspection Enhancements OK so moving on to another Feature, that’s Archive File Support. So with this, we’ll get expanded file support for archive files. There is a range of different archive file formats, including zip files and many others, but with this release, we’ll be able to use the advanced malware protection features for these files, so we’ll be able to do file tracking, network file trajectory, disposition lookups, and dynamic analysis for these files. For instance, if an archive file is detected, we decompress it and inspect the content within that archive. Once we decompress it we even look for multiple layers of a compressed archive, so for instance, a zip within a zip. We can also set policy on how we want to deal with archive file types. For instance, there are just some files that cant be decompressed and inspected, like zips that are too deeply nested, like 4 zips deep. We can set policy to automatically block those files and have them inspected later. So all in all, archive file support is another great addition that just adds to our capability to detect threats across file types.
Extended IoC Support from AMP for Endpoints Overview and Benefits Detection Enhancements Benefit: Enables ongoing support for new IoC detection from AMP for Endpoints Prior to Chivas, there was a static defined list of IoC event types available from AMP for Endpoints Over time, this list has expanded, and will continue to expand With Chivas, the supported AMP for Endpoints IoC list has expanded and become data driven As new IoCs are made, FireSIGHT will simply consume them, and they will appear in host profiles, IoC correlation, etc Examples Multiple infected files detected by AMP for Endpoints Microsoft calculator compromise detected by AMP for Endpoints OpenIOC detected by AMP for Endpoints And then one of the most exciting parts of this release is extended IOC support from Amp for endpoints, so a great integration point here. We’ve expanded our IOC support so that we now leverage a data driven list of IOCs provided by the cloud. So if the AMP for Endpoints start to detect malicious activity and see new IOCs, AMP for Networks in the FireSIGHT management center can automatically consume those new IOCs and it will be scored in the firesight IOC correlation as well. So we want to take those indications on AMP for Endpoints and render and score those events inside AMP for networks as well. A really great way to correlate events across your entire network. So just another reason to push for the use of network and endpoint AMP together to get unmatched visibility and control across your environment.
Support for AMP Private Cloud Virtual Appliance Overview and Benefits Detection Enhancements Selection of external clouds for file disposition lookup (Network AMP events) US Cloud EU Cloud Selection of customer internal AMP Private Cloud Virtual Appliance instance Can be used for both file disposition lookup, and AMP for Endpoints event feeds We also now support AMP private cloud virtual appliance on AMP for Networks version 5.4. There are two capabilities here. It supports the private cloud but it also enables you to select the external cloud that is used for network AMP lookups So prior to 5.4, the US cloud was the go to cloud for all disposition look ups. Now you can specify which cloud you would like to connect to to perform disposition lookups if you’re not using Amp Private Cloud Virtual appliance, which is the AMP for Endpoints private cloud deployment option Alternatively, if you are using AMP Private Cloud, you can use your own on prem disposition look ups and also connect to it to get a feed of all the AMP for Endpoints events that are coming into that AMP for Endpoints Private Cloud
Unicode Filename Support Overview and Benefits Detection Enhancements OK so now we are moving away from what we called “inspection” enhancements and moving to “detection enhancements”. Next is unicode file support, a real quick mention on this. So this is especially interesting to our friends in APJC that use non-Western characters. with the addition of Unicode filename support in the FireSIGHT management center GUI, APJC customers can now see the filename if it is not in western script. So here you can see a screen shot of Sality being picked up in an event and you’ll see the filename here represents the characters of the actual file name in the unicode representation.
Simplified Normalization Configuration Detection Enhancements Feature Overview Intuitive configuration removes risk of incorrect normalisation being applied Benefit - known attack techniques don’t evade detection Global settings now defined in Network Analysis Policy Intrusion Policy: Rules, FireSIGHT Recommended Rules , Alerts etc. OK, moving on to Simplified Normalization configuration. So the team has also improved the way they break out and control the normalization of traffic out from the IPS. They are calling this Simplified Normalization Configuration. Basically, what this is is a change in how you set and view policy in FireSIGHT. So the old way is you have a base policy that contained many settings used for normalization regardless of what IPS policy was associated with an access control rule. In the new release, you use a feature called Network Analysis Policy where you can configure all the global settings for normalization across any of your IPS policies and access control policies. That’s basically it in a nutshell. At the end of the day, this feature enables Increased flexibility for normalizing traffic flows and Avoids confusion over which normalization is actually applied.
Protected Rule Content Detection Enhancements Feature Overview Enables protection of sensitive custom rules High security & regulated environments Avoid public disclosure that a particular threat type is being tracked Example: alert $EXTERNAL_NET any -> $HOME_NET any ( \ msg: “Found attacker signature”; \ content: “Example”; offset:6; length:7; <snip> Protected Rule Content is important for particular verticals interested in high security. It lets you obfiscate what you are looking for inside your rule. So to be more specific, you can create a snort content match using hashed data and this enables this rule writer to specify what content to search for, but never exposes the content in plain text. alert $EXTERNAL_NET any -> $HOME_NET any ( \ msg: “Found attacker signature”; \ protected_content: “32c9c3ec30f328c56aad7660faa3122c”; hash:md5; offset:6; length7; <snip>
Geolocation and Security Intelligence in correlation rules Feature Overview Detection Enhancements Geolocation is available wherever geography is calculated E.g., IPS events, connection events, File events, etc. Security Intelligence is available in connection events We’ve also integrated security intelligence and geolocation into our correlation rules engine so you can now leverage attributes such as country and flow data such as command and control detection inside correlations rules. So for instance, if I want to find an intrusion event that occurs using a source country and an impact flag, I can do that. So the addition here is you can search against geolocation events and security intelligence events and multiple event types.
Platform Enhancements Platform Capability Benefit LACP Link Aggregation Automatic, resilient, bandwidth across multiple parallel network connections Vmware tools support Increased integration and flexibility for virtual deployments Support for 10G Virtual interfaces Improved performance in virtual environments Multiple Management Ports Out-of-band management support for increased security and deployment flexibility And finally, the Platform enhancements. We wont go through these in much detail, this is more plumbing improvements if you will, they’re important but not really something you would use too frequently in a conversation with a customer. The most notable ones are probably VM ware tools support in FireSIGHT for increased integration and flexibility for virtual deployments; support for 10G virtual interfaces if the customer needs it, this will enable hi speed interfaces on the virtual machines… and finally, Multiple Management Ports for deployment flexibility. So what does that mean, well on the back of the manager where you have two different ports, you can use those two different ports to manage devices in different ways, like maybe you want to segregate the management network and the GUI network from the network link that communicates with sensors, and now you can do that in FireSIGHT
And with that, we’ve come to the end And with that, we’ve come to the end. So two new developments here: new Amp for Networks appliances launching in mid January and the new features coming with version 5.4 ready by end of January. So how about we dig into some Questions Q&A