cisco ngips

Cisco NGIPS

Chris Johnson

Security Consulting Systems Engineer

February 2015

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Threat Landscape Demands more than Application Control

avoids detection and attacks swiftly

It is a Community that hides in plain sight

60% of data

is stolen in hours

100% of companies connect to domains that host

malicious files or services

54% of breaches

remain undiscovered for months


‘Defense-in-Depth’ Security Alone Is Not Enough

Manual and Static

Slow, manual inefficient response

Poor Visibility

Undetected multivector

and advanced threats

Siloed Approach

Increased complexity

and reduced effectiveness


Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS Advanced Malware Protection

BEFORE Control Enforce Harden

DURING Detect Block

Defend

AFTER Scope

Contain Remediate

Attack Continuum

Visibility and Automation

Security Intelligence Granular App Control Retrospective Security

Web Security Modern Threat Control IoCs/Incident Response


T h r e a t

i n

p l a i n s i g h t

Visibility Is the Key

s

h i d d e n


FirePOWER Brings Unprecedented Network Visibility

Typical NGFW

FirePOWER Services

Typical IPS


Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

Impact Flag Administrator Action Why

1 Act immediately, vulnerable

Event corresponds to vulnerability mapped to host

2 Investigate, potentially vulnerable

Relevant port open or protocol in use, but no vuln mapped

3 Good to know, currently not vulnerable

Relevant port not open or protocol not in use

4 Good to know, unknown target

Monitored network, but unknown host

0 Good to know, unknown network Unmonitored network


Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum

Context and Threat Correlation

Priority 1

Priority 2

Priority 3

Impact Assessment


Dynamic Security Control

Multi-vector Correlation

Retrospective Security



Adapt Policy to Risks

WWW WWW WWW http:// http:// WWW


WEB







PDF Mail Admin

Request

PDF

Mail

Admin Request


Early Warning for Advanced Threats

Host A

Host B

Host C

3 IoCs

5 IoCs







Shrink Time between Detection and Cure







Indications of Compromise (IoCs)

IPS Events

Malware Backdoors Exploit Kits

Web App Attacks CnC Connections

Admin Privilege Escalations

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections Office/PDF/Java Compromises

Malware Executions Dropper Infections


Integrated Threat Defense at Work

Cisco detects, analyzes and protects against known and emerging threats

Case study:

“String of Paerls” malware campaign

Threat intelligence led to identifying and stopping this complex attack Learn More: http://blogs.cisco.com/security/ a-string-of-paerls

How we did it

•  Leveraged data sources across Email, Web, and Advanced Malware Protection products

•  Used “Big Data” analytics to link disparate events and malware activity

Results

•  Multiple Indications of Compromise (IoCs) identified the malware infection

•  Threat mitigated

Thank you.

cisco ngips

Technology

cisco andor

months cisco confidential

threat correlation priority

depth security

threat landscape

attack continuum visibility

application control

unknown host