Next Generation Firewall Anticipate, block, and respond to threats
Luc Billot Cyber Security Technical Architect - Cisco April 2019 Why Cisco Bought SourceFire ?
© 2019 Cisco and/or its affiliates. All rights reserved. • SNORT
• VRT
• Immunet It is a 2.7 Billion $ question… • ClamAV • FirePower
• FireSight
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Security is an Integration Game
3rd Party Vuln Data 3rd Party Threat Intelligence Firepower Management Stealthwatch Center NGIPS
ISE NGFW
AD Tetration
AMP Threatgrid Data
Web Security AMP for Endpoints Logging SEIM DNS Orchestration Sending Data Umbrella to SEIM Email Investigate API transaction Security Identity from ISE
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 PRODUCTS & INTELLIGENCE
Talos is the intelligence backbone for all Cisco Security Products and Services.
Intelligence End Point Network Cloud Email Web Open Source Services PRODUCTS ThreatGrid AMP FirePower/ASA OpenDNS ESA | ClamAV WSA Snort Rules ATA ClamAV ISR CES SpamCop ClamAV Sigs IR Meraki SenderBase ClamAV DETECTION SERVICES Cloud & End Cloud & End Policy & Control URL, Domain, IP Email Reputation URL, Domain, IP Vulnerability Cloud & End Point IOCs Point IOCs Reputation Malware Reputation Protection Point IOCs Malware Malware Malware Malware Protection Malware Malware Malware Protection Protection Protection Protection URL, Domain, IP Protection Protection Protection URL, Domain, IP IP Reputation URL, Domain, IP AVC Reputation AVC Policy & Control URL, Domain, IP Reputation Reputation Phishing Reputation Network Vulnerability Protection Vulnerability Protection Protection Spam Detection Protection Custom
© 2019 Cisco and/or its affiliates. All rights reserved. Protection Cisco Firewalls have you covered
WannaCry NotPetya VPNFilter May 2017 June 2017 May 2018 Product Protection Protection Protection AMP CWS N/A Firewall Threat Grid Umbrella N/A WSA N/A
© 2019 Cisco and/or its affiliates. All rights reserved. Automatic Threat Prevention
© 2019 Cisco and/or its affiliates. All rights reserved. Block or allow access to URLs and domains
Security Intelligence, URL Filtering, DNS Sinkhole 00100101101 01001010100 Security feeds URL | IP | DNS
NGFW Filtering Safe Search
gambling Allow Block
Allow Block
DNS Sinkhole Category-based Policy Creation Admin
Classify 280M+ URLs Filter sites using 80+ categories Manage Acceptable Use Policy Block latest malicious URLs Understand threat details and quickly respond Next-Generation Intrusion Prevention System (NGIPS)
ISE App & Device Data
Blended threats Prioritize Automate response policies 010111010010 1 10 010001101 Block 010010 10 10 2 Data packets • Network profiling 3 Communications • Phishing attacks Accept • Innocuous payloads • Infrequent callouts
Scan network traffic Correlate data Detect stealthy threats Respond based on priority Automated Impact Assessment
Correlates all intrusion events Impact Flag Administrator Action Why to an impact of the attack against the target Event corresponds Act immediately; vulnerable to vulnerability mapped to 1 host
Relevant port open Investigate; or protocol in use, potentially vulnerable 2 but no vulnerability mapped
Relevant port not open or Good to know; currently not protocol vulnerable 3 not in use
Good to know; unknown Monitored network, but 4 target unknown host
Good to know; unknown Unmonitored network 0 network Indications of Compromise (IoCs) Detection & Threat Correlation
Security Intelligence Malware IPS Events Events Events
Connections to Known Malware Backdoors CnC Connections CnC IPs; DNS Servers, Malware Detections Malware Executions Suspect URLs
Admin Privilege Office/PDF/Java Exploit Kits Dropper Infections Escalations Compromises
Web App Attacks Firepower Recommendations Knows what I Do Not Uncover hidden threats in the environment Advanced Malware Protection (AMP)
Breadth and Control points:
WWW
Email Endpoints Web Network IPS Devices Retrospective Behavioral Trajectory Threat Detection Indications Hunting Telemetry Stream of Compromise
File Fingerprint and Metadata Continuous feed
File and Network I/O 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Process Information Continuous analysis Talos + Threat Grid Intelligence AMP in Action
Focus on these users first Who
These applications are affected What
The breach impacted these areas Where
This is the scope of exposure over time When
Here is the origin and progression Network and Endpoint Correlation IN FIREPOWER MANAGEMENT CENTER How of the threat The results speak for themselves
4.6 Hours Median time to detection with Cisco security* Weeks Industry average time to detection
* Source: Cisco 2018 Annual CyberSecurity Report More visibility • Visibility into threat activity across users, hosts, networks, equals faster time to and infrastructure detection • Network file trajectory maps how hosts transfer files, including malware files, across your network to scope an Network and Security attack, set outbreak controls, Visibility and Analysis and identify the source of the threat • Centralized management See more and detect provides contextual threat threats faster analysis and reporting, with consolidated visibility into security and network operations © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Gain more insight with increased visibility
“You can’t protect against what you can’t see” Client applications
Operating systems
Command and control File transfers servers Mobile devices Threats Routers and switches Users Application protocols Web applications Typical IPS Printers Malware Typical NGFW Network servers VoIP phones
Cisco Firepower™ NGFW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Provide next-generation visibility into app usage Application Visibility & Control
Cisco database • 4,000+ pre-defined
apps Network & users
1 OpenAppID
2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps Extend AVC to proprietary and custom apps OpenAppID - Crowdsourcing Application Detection
Self-Service Open-Source
Easily customize application detectors Detect custom and proprietary applications Share detectors with other users Uncover hidden threats at the edge TLS/SSL decryption engine
TLS Enforcement NGIPS AVC https://www.%$*#$@#$.com decryption engine decisions https://www.%$*#$@#$.com
https://www.%$*#$@#$.com https://www.%$&^*#$@#$.com https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com gambling https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com https://www.%$&^*#$@#$.com elicit https://www.%$*#$@#$.com
Encrypted Traffic Log
Decrypt traffic in hardware and software Inspect deciphered packets Track and log all TLS sessions Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Detailed Threat Analytics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Customizable Monitoring and Reporting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Closing
© 2019 Cisco and/or its affiliates. All rights reserved. Products https://www.cisco.com/c/en/us/products/security/firewalls/index.html#~products
Cisco Firepower® Cisco Firepower Cisco Firepower 9300 2100 Series 4100 Series Security Appliance
• Internet edge to small data • Internet edge, • Service provider, center environments. high-performance data center Better security, more enterprise environments visibility • Firewall throughput up to • Firewall throughput and 225 gigabytes and threat • Firewall throughput and threat inspection from inspection up to 90 sustained performance with 20 to 60 gigabytes gigabytes threat inspection from 2.0 to 8.5 gigabytes • Stateful firewall, AVC, • Firewall, AVC, NGIPS, NGIPS, AMP, URL filtering, AMP, URL filtering, DDoS • Stateful firewall, AVC, DDoS (Radware vDP) (Radware vDP) NGIPS, AMP, URL filtering
To learn more, visit Cisco Next-Generation Firewalls
© 2019 Cisco and/or its affiliates. All rights reserved. Virtual and Cloud Solutions
NGIPS Firewall URL
AVC AMP VPN (IPSEC and SSL)
Managed by FMC and FDM
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28