Cisco FirePOWER Benjamin Doyle October 15th, 2015

Agenda Sourcefire Cisco ASA Next-Gen Firewall (NGFW) FireSIGHT Management Center (FMC) FirePOWER Services Intrusion Prevention System (IPS) Advanced Malware Protection (AMP) URL Filtering Meraki Security Appliance (MX)

Sourcefire

Sourcefire Founded in 2001 2013: Acquired by Cisco for US$2.7B 2014: Technology integration within Cisco Hardware and Software ClamAV and Snort File reputation and dynamic analysis Analysis of behaviours & containment Retrospective protection Visibility through dashboards 2015: EoL non-SF IPS appliances

Cisco ASA Next-Generation Firewall (NGFW)

Cisco ASA and Sourcefire FirePOWER

Cisco ASA Product Line ASA 5585-SSP60 ASA 5585-SSP40 ASA 5585-SSP20 Performance and Scalability ASA 5555-X ASA 5545-X ASA 5525-X ASA 5515-X ASA 5512-X Field: slide that shows the three solutions on a slide like this. Maybe one for firewall, one for IPS and one for NGFW/UTM. Or maybe just the one 2 RU Platforms - 5585 Internet Edge/Campus/Data Center 2 – 20 Gbps: Firewall 1.2 – 6 Gbps: Next Gen IPS 650Mbps – 2.4 Gbps:NGIPS, AVC, AMP 1 RU Platforms Branch Office/Internet Edge 200Mbps - 2 Gbps: Firewall 100 – 725 Mbps: Next Gen IPS 30-160 Mbps: NGIPS, AVC, AMP * Performance numbers to be finalized

NGFW with NGIPS Context awareness is done through Passive Network Detection Source: Cisco Live! BRKSEC-2762 San Diego 2015

Multilayered Protection – Next Gen. FW + Gen2 IPS World’s most widely deployed, enterprise-class ASA stateful firewall Granular Cisco® Application Visibility and Control (AVC) Industry-leading FirePOWER Next- Generation IPS (NGIPS) Reputation- and category-based URL filtering Advanced Malware Protection Identity-Policy Control & VPN URL Filtering (Subscription) FireSIGHT Analytics & Automation Advanced Malware Protection Application Visibility & Control Network Firewall Routing | Switching Clustering & High Availability WWW Cisco Collective Security Intelligence Enabled Built-in Network Profiling Intrusion Prevention (Subscription) Cisco ASA Now we’ll go into greater detail on one of the most important benefits of Cisco ASA: superior multilayer protection. Its enterprise-class granular Application Visibility and Control, or AVC, feature sees over 2,500 applications. It uses risk-based controls that invoke custom-tailored IPS threat detection policies. Its industry-leading FirePOWER Next-Generation IPS, or NGIPS, provides comprehensive threat prevention and full contextual awareness of users, infrastructure, applications, and content. This way, it can detect multivector threats and automate a defense response. Its reputation- and category-based URL filtering offers comprehensive alerts and control over suspect web traffic, and enforces policies on hundreds of millions of URLs in over 80 categories. This help make sure that your users are accessing web sites based on your organization’s acceptable use policies. And its advanced malware protection provides industry-leading breach detection effectiveness, helping you discover, understand, and stop emerging, persistent threats missed by traditional security defenses. You can fingerprint files that are coming in, to get inline disposition, and keep threats from spreading from machine to machine. Visibility over – Network, Device, Application, Threat Detection & Mitigation

FireSIGHT Management Center (FMC)

FireSIGHT Components Network Discovery & Connection Awareness Host discovery Identifies OS, protocols and services running on each host Reports on potential vulnerabilities present on each host based on the information it’s gathered Application identification FireSIGHT can identify over 1900 unique applications using OpenAppID Includes applications that run over web services such as Facebook or LinkedIn Applications can be used as criteria for access control User discovery Monitors for user IDs transmitted as services are used Integrates with MS AD servers to authoritatively ID users Authoritative users can be used as access control criteria

FireSIGHT Management Discovery is reported to you by way of events Connection events are recorded as every connection in a monitored network is seen Host events are recorded when something new on a host is detected or a change to a host is detected Information about all the hosts in your environment is stored in host profiles

Host and Event Correlation When a host in the network map is seen to exhibit signs of compromise Security Intelligence Events C&C Detection via Protocol Analysis Contextual NGIPS Events (Impact 1) FireAMP Endpoint Malware Events

FireSIGHT Discovery By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting Which would matter more to you? A code red attack against a host running Linux in your environment Or A code red attack against a host running a vulnerable version of Windows in your environment

FireSIGHT Impact Assessment With FireSIGHT, IPS events are assigned an impact level 0 – host not on monitored networks 4 – no entry for the host in the network map 3 – host not running the service or protocol that was attacked 2 – host is running the service or protocol that was attacked 1 – host is running the service or protocol that was attacked an a vulnerability is against the service or protocol is mapped to the host FireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment

FireSIGHT Management Center (FMC)

Why is FireSIGHT Important? It gives you real-time information about what’s in your network Based on this knowledge … It can inform you of the vulnerabilities associated with what is running in your environment You can fine-tune policies to focus on the threats specific to your environment It can detect changes to your environment and alert you as soon as the change is detected You can act dynamically with custom alerting (email, syslog, SNMP, eStreamer) You can take action dynamically as well with remediation modules Remediation include scripts you can launch from the defense center

How is FireSIGHT information used? Fine-tuning IPS policies You can automatically select the rules and preprocessor configurations that apply to your environment You can protect hosts running services on non-standard ports (ie. HTTP running on port 1080 on a host and 8080 on antother) Enforce an organization’s security/usage policies Block or alert on use of unauthorized applications for example Monitor and act on unusual network behavior Alert on new hosts showing up in restricted network spaces or detect unusually high utilization Act on user activity

FireSIGHT Management Center (FMC) CATEGORIES EXAMPLES FirePOWER APPLIANCE TYPICAL IPS TYPICAL NGFW Threats Attacks, Anomalies ✔ Users AD, LDAP, POP3 ✗ Web Applications Facebook Chat, Ebay Application Protocols HTTP, SMTP, SSH File Transfers PDF, Office, EXE, JAR Malware Conficker, Flame Command & Control Servers C&C Security Intelligence Client Applications Firefox, IE6, BitTorrent Network Servers Apache 2.3.1, IIS4 Operating Systems Windows, Linux Routers & Switches Cisco, Nortel, Wireless Mobile Devices iPhone, Android, Jail Printers HP, Xerox, Canon VoIP Phones Avaya, Polycom Virtual Machines VMware, Xen, RHEV Contextual Awareness Information Superiority

FireSIGHT Management Center: Threat Information

FireSIGHT Management Center: Operational Value

FirePOWER Services

Traditional Defense-in-Depth Forced to buy multiple security solutions – firewalls, web filters, IPS modules, etc. Often from different vendors – compatibility issues Increases complexity, limited visibility Vulnerability – lack of unified protection creates gaps and blindspots Need several dedicated teams to configure, install, and monitor multiple systems Increased cost and labor, reduced incident response time

Challenges with Traditional Defense-in-Depth Security

Cisco ASA with FirePOWER Industry’s first adaptive, threat-focused NGFW designed for a new era of threat and advanced malware protection Delivers an integrated threat defense across the entire attack continuum Combines proven security of Cisco ASA firewall with industry-leading Sourcefire threat and advanced malware protection in a single device Unparalleled network visibility

Integrated Threat Defense Across the Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall/VPN NGIPS Advanced Malware Protection With Cisco ASA, all the different layers of security you see at the bottom of this slide work together, so we’re able to pull intelligence from these layers. Unlike traditional solutions, we layer security intelligence, for greater visibility and to protect against threats coming from multiple vectors across the attack continuum. With our unique approach, all the solution parts know about each other. For example, the firewall knows about the IPS and its policies, the IPS sees data coming through the firewall, and the malware engine correlates its events with the IPS events. This integration even extend to correlating Indications of Compromise across endpoints and networks – no other solution provides this comprehensive capability. (Most competitors are still just trying to build out their portfolios to have solutions across the attack continuum!) Granular App Control Security Intelligence Retrospective Security Modern Threat Control Web Security IoCs/Incident Response Visibility and Automation

FirePOWER Services for ASA: Subscriptions Included * Appliance Feature Defaults Configurable Fail Open ✓ Connection/Flow Logging Network, User, and Application Discovery [4] Traffic filtering / ACLs NSS Leading IPS Engine Comprehensive Threat Prevention Security Intelligence (C&C, Botnets, SPAM etc) Blocking of Files by Type, Protocol, and Direction Basic DLP in IPS Rules (SSN, Credit Card etc.) Access Control: AVC - Enforcement by Application Access Control: Enforcement by User IPS and App Updates IPS Rule and Application Updates Annual Fee URL Filtering URL Filtering Subscription Malware Protection Subscription for Malware Blocking, Continuous File Analysis, Malware Network Trajectory * Included - Smartnet Required for Security Intel. Updates App Visibility / Control URL Filtering Advanced Malware Protection Next Gen IPS VPN Termination ACL’s – Protocol Inspection Routing Network Address Translation Base ASA Firewall Sourcefire Services

FirePOWER Licensing Virtual or Physical FireSIGHT Management Center required All FirePOWER Service device licenses are managed on the FireSIGHT Management Console. Licenses are specific to each ASA model and mapped to managed ASA devices Term licenses have a start and end date, beyond the end date requires renewal to receive subscription updates. Application Visibility and Control updates are included in SMARTnet Services IPS subscription is a pre-requisite for Advanced Malware Protection (AMP) SSDs are included in all new ASA FirePOWER Services hardware SKUs

Five Subscription Packages to Choose From for Each Appliance FirePOWER Licensing Five Subscription Packages to Choose From for Each Appliance URL 1 and 3 year terms AVC is part of the default offering AVC updates are included in SMARTnet IPS is required before AMP or URL license can be added URL AMP AMP URL IPS IPS IPS IPS TA TAC TAM TAMC

Intrusion Prevention System (IPS)

Sourcefire NGIPS Security Automation for Dynamic Defense Automatic threat assessment to prioritize relevance and impact Correlation and remediation features for real-time threat response Automated policy tuning to protect against new threats Protection and counter-measures maintained in optimal state Source: Cisco Live! BRKSEC-1030 San Diego 2015

IPS – File Processing File Policy: Blocked by policy Check dispo Blocked by dispo Store file Submit for Dynamic Analysis Logging: Recording file Movement Network file movement Store file content Source: FireSIGHT User Guide 5.4.0.1

IPS Automation

The Next Generation Security Model Cisco Live 2014 4/26/2017 Before Attack The Next Generation Security Model Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight) Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets. Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective Network Endpoint Mobile Virtual Cloud What Device Types, Users & Applications should be on the Network? Point in time Continuous

The Next Generation Security Model After Attack The Next Generation Security Model Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Network Endpoint Mobile Virtual Cloud AFTER THE ATTACK: Cross Device Information Sharing - Evolving invariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normal Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud Point in time Continuous

Advanced Malware Protection (AMP)

AMP File Reputation Dynamic Analysis Retrospective Security (Sandboxing) Retrospective Security

Anti-Malware Protection & the Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate File Retrospection File Trajectory Contextual Awareness Control Automation Network In-line Threat Detection and Prevention File Retrospection File Trajectory Device Trajectory File Analysis THE WAY WE ANALYZE THE PROBLEM IS BY LOOKING AT THE ENTIRE ATTACK CONTINUUM OF THINGS YOU MUST DO: BEFORE, DURING AND AFTER AN ATTACK TAKES PLACE. IN ORDER TO DEAL WITH THE INDUSTRIALIZED THREAT, WE NEED TO LOOK AT THESE PHASES COMPREHENSIVELY: BEFORE AN ATTACK: WE NEED TO KNOW WHAT WE ARE DEFENDING….YOU NEED TO KNOW WHATS ON YOUR NETWORK TO BE ABLE TO DEFEND IT – DEVICES / OS / SERVICES / APPLICATIONS / USERS WE NEED TO IMPLEMENT ACCESS CONTROLS, ENFORCE POLICY AND BLOCK APPLICATIONS AND OVERALL ACCESS TO ASSETS. HOWEVER POLICY AND CONTROLS ARE A SMALL PIECE OF WHAT NEEDS TO HAPPEN. THEY MAY REDUCE THE SURFACE AREA OF ATTACK, BUT THERE WILL STILL BE HOLES THAT THE BAD GUYS WILL FIND. ATTACKERS DO NOT DISCRIMINATE. THEY WILL FIND ANY GAP IN DEFENSES AND EXPLOIT IT TO ACHIEVE THEIR OBJECTIVE. DURING THE ATTACK: WE MUST HAVE THE BEST DETECTION OF THREATS THAT YOU CAN GET ONCE WE DETECT ATTACKS, WE CAN BLOCK THEM AND DEFEND OUR ENVIRONMENT AFTER THE ATTACK: INVARIABLY ATTACKS WILL BE SUCCESSFUL, AND WE NEED TO BE ABLE TO DETERMINE THE SCOPE OF THE DAMAGE, CONTAIN THE EVENT, REMEDIATE, AND BRING OPERATIONS BACK TO NORMAL YOU ALSO NEED TO ADDRESS A BROAD RANGE OF ATTACK VECTORS, WITH SOLUTIONS THAT OPERATE EVERYWHERE THE THREAT CAN MANIFEST ITSELF – ON THE NETWORK, ENDPOINT, MOBILE DEVICES, VIRTUAL ENVIRONMENTS. FINALLY, TRADITIONAL SECURITY TECHNOLOGIES ONLY OPERATE AT A POINT IN TIME. THEY HAVE ONE SHOT TO DETERMINE IF SOMETHING IS BAD OR NOT. WITH TODAY’S THREAT LANDSCAPE FULL OF ADVANCED MALWARE AND ZERO DAY ATTACKS POINT IN TIME ALONE DOES NOT WORK. WHAT IS NEEDED IS A CONTINUOUS CAPABILITY, ALWAYS WATCHING, ALWAYS ANALYZING AND CAN DETECT, CONTAIN AND REMEDIATE A THREAT REGARDLESS OF TIME. ---------------------------------------------------------------------------------------------------------- Optional points (justification that new model is required) “Traditional defense tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware” - Gartner, Five Styles of Advanced Threat Defense, August 20, 2013 “The free flow of information must continue to drive economic value…resilience, not just bigger locks, is the goal; accepting that failures will occur, the objective is to restore normal operations and ensure assets and reputations are protected” -Partnering for Cyber Resilience, World Economic Forum, March 2012 “There will continue to be an increase in advanced targeted attacks that bypass traditional protection mechanisms and persist undetected for extended periods of time. As a result, in all scenarios, systems and individuals mush be considered compromised” - Gartner, Prevention is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence, May 30, 2013 Endpoint File Execution Blocking Indications of Compromise Outbreak Control

Anti-Malware Process - Infected File Tracking

AMP: File Disposition and Dynamic Analysis Cisco Cloud is TALOS => Cisco SIO + Sourcefire VRT hash hash Retrospective Security Source: Cisco Live! BRKSEC-2028 Melbourne 2015

Host Profile

Network File Trajectory

Correlation Analysis with Context Produces IoC Source: Cisco Live! BRKSEC-1030 San Diego 2015

URL Filtering

URL Filtering Offers reputation and category-based filtering Comprehensive alerting and control over suspect traffic Enforces policies on hundreds of millions of websites in over 80 categories

URL Filtering

Meraki Security Appliance (MX)

Meraki Leader in cloud networking: 20,000+ customer networks deployed Founded in 2006 at MIT - tradition of innovation and R&D 350 employees worldwide 100% Cloud-managed edge and branch networking portfolio Complete line of wireless, switching, security, WAN optimization, and mobile device management products Now part of Cisco Increasing R&D investment in Meraki products Leveraging Cisco’s reach to bring Meraki to new markets No near-term changes planned to pricing, licenses, product roadmap, etc. Cisco purchased Meraki for 1.2B in 2012.

Cloud Subscription & Warranty Support Order Process How Meraki Works Step 1: Pick Hardware Step 2: Cloud Subscription & Warranty Support Step 3: Install Step 4: Dashboard Management Cloud License 1yr, 3yr, 5yr Install Warranty

Management – Cloud Dashboard Meraki Management Management – Cloud Dashboard Self-provisioning for rapid deployment and expansions Scalable network-wide monitoring and management tools Integrated Wireless, LAN, and WAN management, as well as Mobile Device management Seamless over-the-web maintenance, upgrades, monitoring, etc.

Application Visibility Layer 7 - Complete visibility and control

Out of band cloud management Meraki Pros Out of band cloud management Scalable Unlimited throughput, no bottlenecks Add devices or sites in minutes Reliable Highly available cloud with multiple datacenters Network functions even if connection to cloud is interrupted 99.99% uptime SLA Secure No user traffic passes through cloud Fully HIPAA / PCI compliant (level 1 certified) 3rd party security audits, daily penetration test Reliability and security information at meraki.com/trust WAN Management data (1 kb/s) LAN

Meraki Features Hardware – “MX” Next Generation Firewall: Layer 7 traffic classification and control Intrusion detection engine Identity based and device-aware security 3G / 4G Failover: Cellular support for maximum uptime Seamless, automatic failover with traffic prioritization WAN Optimization: Universal data store with de-duplication WAN link compression Auto VPN: Auto-provisioning IPSec VPN Automatically configured VPN parameters Flexible tunneling, topology and security policies Content Filtering: Identity-based filtering policies

Subscription/License – “MX” Meraki Licensing Subscription/License – “MX”

Stateful Firewall Throughput WAN Optimization Cache Meraki Sizing Hardware – “MX” MX400 MX100 MX80 MX60W MX60 Z1 (Teleworker) Stateful Firewall Throughput 1 Gbps 500 Mbps 250 Mbps 100 Mbps 50 Mbps VPN Throughput 325 Mbps 225 Mbps 125 Mbps 10 Mbps WAN Optimization Cache 1 TB SATA 100 MB N/A Interfaces 8 x GbE 8 x GbE (SFP) 4 x 10 GbE (SFP+) 2 x GbE (SFP) 5 x GbE 5 × GbE 1 × 802.11n 1 x GbE WAN 4 x GbE LAN Integrated Intrusion Detection (IDS) Device Aware Access Controls (BYOD) (Layer 7) Category-based content filtering Load Balance WAN connections 3G/4G backup WAN connectivity WAN Acceleration/Optimization

Cloud Value Proposition Meraki Cloud Cloud Value Proposition Maintenance & Upgrades (Quarterly Releases): Automatic firmware maintenance New feature implementation Automatic implementation of performance improvements and enhancements Monitoring: Application level (layer 7) monitoring & reporting Performance monitoring Technology and Configuration: Extremely easy configuration Fully featured Cloud Managed Warranty & Maintenance: Case-based support viewable in dashboard Firmware and Software updates/upgrades 24x7 telephone support

Next: More Intrusion Alert Methods