Next Generation Firewall Anticipate, Block, and Respond to Threats

Next Generation Firewall Anticipate, block, and respond to threats

Luc Billot Cyber Security Technical Architect - Cisco April 2019 Why Cisco Bought SourceFire ?

• VRT

• Immunet It is a 2.7 Billion $ question… • ClamAV • FirePower

• FireSight

3rd Party Vuln Data 3rd Party Threat Intelligence Firepower Management Stealthwatch Center NGIPS

ISE NGFW

AD Tetration

AMP Threatgrid Data

Web Security AMP for Endpoints Logging SEIM DNS Orchestration Sending Data Umbrella to SEIM Email Investigate API transaction Security Identity from ISE

Talos is the intelligence backbone for all Cisco Security Products and Services.

Intelligence End Point Network Cloud Email Web Open Source Services PRODUCTS ThreatGrid AMP FirePower/ASA OpenDNS ESA | ClamAV WSA Snort Rules ATA ClamAV ISR CES SpamCop ClamAV Sigs IR Meraki SenderBase ClamAV DETECTION SERVICES Cloud & End Cloud & End Policy & Control URL, Domain, IP Email Reputation URL, Domain, IP Vulnerability Cloud & End Point IOCs Point IOCs Reputation Malware Reputation Protection Point IOCs Malware Malware Malware Malware Protection Malware Malware Malware Protection Protection Protection Protection URL, Domain, IP Protection Protection Protection URL, Domain, IP IP Reputation URL, Domain, IP AVC Reputation AVC Policy & Control URL, Domain, IP Reputation Reputation Phishing Reputation Network Vulnerability Protection Vulnerability Protection Protection Spam Detection Protection Custom

WannaCry NotPetya VPNFilter May 2017 June 2017 May 2018 Product Protection Protection Protection AMP CWS N/A Firewall Threat Grid Umbrella N/A WSA N/A

Security Intelligence, URL Filtering, DNS Sinkhole 00100101101 01001010100 Security feeds URL | IP | DNS

NGFW Filtering Safe Search

gambling  Allow Block 

Allow Block

DNS Sinkhole Category-based Policy Creation Admin

Classify 280M+ URLs Filter sites using 80+ categories Manage Acceptable Use Policy Block latest malicious URLs Understand threat details and quickly respond Next-Generation Intrusion Prevention System (NGIPS)

ISE App & Device Data

Blended threats Prioritize Automate response policies 010111010010 1 10 010001101 Block 010010 10 10 2 Data packets • Network profiling 3 Communications • Phishing attacks Accept • Innocuous payloads • Infrequent callouts

Scan network traffic Correlate data Detect stealthy threats Respond based on priority Automated Impact Assessment

Correlates all intrusion events Impact Flag Administrator Action Why to an impact of the attack against the target Event corresponds Act immediately; vulnerable to vulnerability mapped to 1 host

Relevant port open Investigate; or protocol in use, potentially vulnerable 2 but no vulnerability mapped

Relevant port not open or Good to know; currently not protocol vulnerable 3 not in use

Good to know; unknown Monitored network, but 4 target unknown host

Good to know; unknown Unmonitored network 0 network Indications of Compromise (IoCs) Detection & Threat Correlation

Security Intelligence Malware IPS Events Events Events

Connections to Known Malware Backdoors CnC Connections CnC IPs; DNS Servers, Malware Detections Malware Executions Suspect URLs

Admin Privilege Office/PDF/Java Exploit Kits Dropper Infections Escalations Compromises

Web App Attacks Firepower Recommendations Knows what I Do Not Uncover hidden threats in the environment Advanced Malware Protection (AMP)

Breadth and Control points:

WWW

Email Endpoints Web Network IPS Devices Retrospective Behavioral Trajectory Threat Detection Indications Hunting Telemetry Stream of Compromise

File Fingerprint and Metadata Continuous feed

File and Network I/O 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Process Information Continuous analysis Talos + Threat Grid Intelligence AMP in Action

Focus on these users first Who

These applications are affected What

The breach impacted these areas Where

This is the scope of exposure over time When

Here is the origin and progression Network and Endpoint Correlation IN FIREPOWER MANAGEMENT CENTER How of the threat The results speak for themselves

4.6 Hours Median time to detection with Cisco security* Weeks Industry average time to detection

* Source: Cisco 2018 Annual CyberSecurity Report More visibility • Visibility into threat activity across users, hosts, networks, equals faster time to and infrastructure detection • Network file trajectory maps how hosts transfer files, including malware files, across your network to scope an Network and Security attack, set outbreak controls, Visibility and Analysis and identify the source of the threat • Centralized management See more and detect provides contextual threat threats faster analysis and reporting, with consolidated visibility into security and network operations © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Gain more insight with increased visibility

“You can’t protect against what you can’t see” Client applications

Operating systems

Command and control File transfers servers Mobile devices Threats Routers and switches Users Application protocols Web applications Typical IPS Printers Malware Typical NGFW Network servers VoIP phones

Cisco Firepower™ NGFW

 Cisco database • 4,000+ pre-defined 

apps  Network & users

 1 OpenAppID 

2 

Prioritize traffic



See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps Extend AVC to proprietary and custom apps OpenAppID - Crowdsourcing Application Detection

Self-Service Open-Source

Easily customize application detectors Detect custom and proprietary applications Share detectors with other users Uncover hidden threats at the edge TLS/SSL decryption engine

TLS Enforcement NGIPS AVC https://www.%$*#$@#$.com  decryption engine decisions https://www.%$*#$@#$.com 

https://www.%$*#$@#$.com  https://www.%$&^*#$@#$.com https://www.%$*#$@#$.com 

https://www.%$*#$@#$.com 

https://www.%$*#$@#$.com  gambling https://www.%$*#$@#$.com 

https://www.%$*#$@#$.com 

https://www.%$*#$@#$.com  https://www.%$&^*#$@#$.com elicit https://www.%$*#$@#$.com 

Encrypted Traffic Log

Decrypt traffic in hardware and software Inspect deciphered packets Track and log all TLS sessions Visibility Provides Context

Cisco Firepower® Cisco Firepower Cisco Firepower 9300 2100 Series 4100 Series Security Appliance

• Internet edge to small data • Internet edge, • Service provider, center environments. high-performance data center Better security, more enterprise environments visibility • Firewall throughput up to • Firewall throughput and 225 gigabytes and threat • Firewall throughput and threat inspection from inspection up to 90 sustained performance with 20 to 60 gigabytes gigabytes threat inspection from 2.0 to 8.5 gigabytes • Stateful firewall, AVC, • Firewall, AVC, NGIPS, NGIPS, AMP, URL filtering, AMP, URL filtering, DDoS • Stateful firewall, AVC, DDoS (Radware vDP) (Radware vDP) NGIPS, AMP, URL filtering

To learn more, visit Cisco Next-Generation Firewalls

NGIPS Firewall URL

AVC AMP VPN (IPSEC and SSL)

Managed by FMC and FDM