Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 © 2013 Cisco and/or its affiliates. All rights reserved. Evaluation Process.

Published byBeverly Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 © 2013 Cisco and/or its affiliates. All rights reserved. Evaluation Process."— Presentation transcript:

1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 © 2013 Cisco and/or its affiliates. All rights reserved. Evaluation Process

2 Cisco Confidential 2 Evaluation Process 1. Develop Test Plan / Requirements List o IPS vs. IDS, app control, vulnerability testing, performance requirements, etc… 2. Scope of Appliances 3. Kick-Off Install 4. Weekly Reviews 5. Recap

3 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 What Sourcefire Will Provide Dedicated Sales Engineer Appliances (sensors and management) Weekly Review of System Executive Reports Pricing for Production Devices Event Analysis

4 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 What Customer Will Provide / Prep Network Diagram Rack space, cabling, & shelf or other place to stack the appliance (railkits are not always shipped with evals) available power (maximum of (4) power connections SPAN port identified, configured, and traffic verified IP addresses for management ports on each appliance Depending on the location of the components, firewall or other network configuration maybe required to allow sensors to connect to a Defense Center: Port 8305 is the default communications port for DC to Sensor communications Ports 443 and 22 are for communication directly with the DC or Sensors. NTP server address Unauthenticated Mail Relay address Identified InfoSec point of contact and/or Network team contact for install setup, addressing, etc if any network configs needed

5 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Evaluation Checklist Requirements Performance, application control, malware, inspection, API integration, custom rules, centralized management, etc… Testing environment Production or Lab General architecture Types of connections Integration with other technology Inline / Passive Testing tools Point of contact / groups involved Timeline

6 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Onsite Eval Kick-Off Meeting Review design, requirements and action plan Quick recap of dashboards, workflows, FireSIGHT context viewer, reports Installation Schedule weekly meetings / GMT for next 3-4 weeks to cover: o Reports, Events, Fine Tuning, Basic Configuration

7 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Recap Meeting General Feedback Overview of Methodology Demo of Configuration Key Findings; Events, Performance High Impact Threat Report Requirement Review Discuss Possible Purchase Timeline

8 8 8 Sample NGIPS Requirements List Management Platform Hierarchical management Management HA Data views and dashboard Customization Ease of deployment and ongoing administration Central management Ability to drill down during investigation Reporting Role-based management External authentication (RADIUS, LDAP, etc.) Fully searchable event database Ability to create and save custom searches Custom dashboards per user Full audit logging Automated updates Fully integrated reporting system Multiple report formats (PDF, CSV, HTML, etc.) Ability to see detailed performance information Multi-tennant management Packet Capture for ALL Events Contextual Awarenss and Security Automation Real-time Adaptive IPS (Based on RNA Host Profile) Automatic IPS Event Correction: Impact Analysis. Business Relevance, Risk Level, Application Automatic/Selfing Tuning Option Ability to fully automate tasks such as reports, updates, backups, etc. Ability to prioritize events based on relevance to protected environment Ability to automatically tune policy based on devices in protected environment Ability to identify devices (printers, routers, switches, etc.) Ability to identify operating systems Ability to identify applications Ability to identify services Ability to use externally generated flow data Ability to look for anomalous traffic patterns Ability to identify users Ability to detect anolmolous network device (compliance white list) Security Intelligence IP reputation / blacklists Detection of known C&C servers Geolocation IPS Industry validation (NSS Labs, Gartner, etc.) Threat detection Ability to see rule/filter/signature (open rules) Ability to edit existing rules Ability to create custom rules Packet capture Ability to download packet captures Ability to generate flow data Ability to inspect IPv6 traffic Ability to inspect traffic inline or out of band Application Control Features Ability to view a large range of applications Ability to control applications Ability to control sub-applications or specific application functionality Ability to control applications by user or group Ability to control applications by risk level Ability to control applications by business relevance Ability to define application groups Ability to maintain performance while performing application control Ability to control mobile devices / OS Click for full list

9 9 9 Sample Malware Requirements  Full list Full list Find root cause of infected machines Provide protection if an endpoint is out of the network Leverage the cloud for real-time analysis Protect against end-points and mobile devices including tablets and mobile phones Locate patient zero for a specific threat i.e when and who it was first installed or executed Retroactively provide details on who and when malware was downloaded and executed Provide file analysis (how many data points?) Include screen captures of the file when if was first seen to assis with educating end-users what to look for Remediate via custom detections i.e cloud-based SHA or original file Remediate via advanced custom i.e. Client-based, uses advanced techniques (e.g. offsets, wildcards, regular expressions) Remediate via Application blocking lists Remediate via Custom white lists Automatically creates simple custom detections Overview of Functionality Events & Indicators of Compromise - events, relationships between suspicious behaviors (e.g. Word or Java executing other files), etc etc etc etc etc File Trajectory - Patient Zero, when malware was first seen on which computer in your environment, its parentage, lineage, how it moves between hosts Device Trajectory - relationship of files and network traffic on a single computer. Parent-Child relatonships on a machine. Files spawning other files. JAVA.exe creating other files. File Analysis - Once you have the "unknown" file - you can run it through our sandbox to get screen shots, PCAPs, original sample, static analysis, running analysis of files dropped, URL connected to. Control - Simple and Advanced methods to control / clean-up. Setup & Config & Reporting etc - groups, policies etc etc

10 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

11 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Bigger, Faster, Stronger Reports

12 12

13 13 Attack Risk Network Risk

14 14 Network Risk

15 15

16 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Better Together

17 Sample Items

18 18 Brief Recap  90 day graphs provided ▸ Can we get sample pcaps?  Current priority for traffic from outside coming in  External FW and Internal PCI segments ▸ Eval to focus on IDS  Other technologies include RSA Tripwwire, Secure ID token, syslog exports  10 Gig future options  Discussed latency concerns, requirements for dual power  Application control options  Cisco 5580-40 gear

19 19 Eval Items Provided  (1) 3D7120 Sensor  (1) DC1500 Management Server with FireSIGHT  AppControl license for additional visiblity

20 20 POV Items Needed Rack space, cabling, & shelf or other place to stack the appliance (railkits are not always shipped with evals) available power (maximum of (4) power connections SPAN port identified, configured, and traffic verified IP addresses for management ports on each appliance Depending on the location of the components, firewall or other network configuration maybe required to allow sensors to connect to a Defense Center: Port 8305 is the default communications port for DC to Sensor communications Ports 443 and 22 are for communication directly with the DC or Sensors. NTP server address Unauthenticated Mail Relay address Identified InfoSec point of contact and/or Network team contact for install setup, addressing, etc if any network configs needed

21

Download ppt "© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 © 2013 Cisco and/or its affiliates. All rights reserved. Evaluation Process."

Similar presentations

1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
What’s New in BMC ProactiveNet 9.5?

What’s New in BMC ProactiveNet 9.5?
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Similar presentations

Ads by Google