cisco, sourcefire and lancope - better together
TRANSCRIPT
Cisco Confidential© 2014 Cisco and/or its affiliates. All rights reserved. 1
Cisco, Sourcefire and Lancope – Better TogetherDavid SalterTechnical Director, Lancope Inc.
26th February 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
BEFOREDetect
Block
Defend
DURING AFTERControl
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
BEFOREControl
Enforce
Harden
DURING AFTERDetect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Visibility and Context
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Anti-Virus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Lancope StealthWatch System
Attack Continuum
BEFOREControl
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Visibility and Context
Attack Continuum
BEFOREControl
Enforce
Harden
• DEPTH
• Host map and risk profile up to
300K hosts
• Identify application and
services (over 2000)
• Identify Operating Systems
• Leverage network awareness
as a component of NGIPS
• help tune policy
• BREADTH
• Monitor and profile network
traffic and application data for up
to 25M+ hosts
• Monitor policy
• Provide intelligence to improve
defenses
• Identify precursors to an attack
(example: reconnaissance)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Attack Continuum
DURINGDetect
Block
Defend
Visibility and ContextVisibility and Context
Attack Continuum
• NETWORK FOCUS
• Leverages Cisco infrastructure
for detection
• Detection using behavioral
profiles & statistical modeling
• Detect attacks that do not violate
policy (low and slow attacks, data loss)
• Detect ongoing attacks (DDoS)
• HOST/APPLICATION FOCUS
• Network probes and host
agents
• DPI & rules engine (Snort) to
alert/block vulnerabilities
• Detect/block known bad files
for specific host platforms
• Leverage sandboxing to
identify known bad file activity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Attack Continuum
AFTERScope
Contain
Remediate
Visibility and Context
Attack ContinuumAttack Continuum
• Track infection spread through
the network
• Create a forensic trail of network
activities
• Investigate activities post
mortem
• Reconstruct attack timeline
• Provide file interaction history
• Detect and remediate known
bad files
• Limits the proliferation of known
bad files
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Feature Sourcefire FireSIGHT Lancope StealthWatch
Data Source Enriched metadata generated by
dedicated sensors, creates detailed
network host map
NetFlow/IPFIX from Cisco router, switches
and firewalls, StealthWatch FlowSensor,
and other flow sources
Storage 500M events and 500M flow
summaries, usually weeks of data or
less
Up to 4TB of storage per collector, usually
many months or more. Many FlowCollectors
attached to a single Management Console
Event Rate Up to 10,000 events per second,
based on appliance model
120,000+ flows per second per
FlowCollector appliance.
Scalability Based on Defense Center event
database max
Horizontal, support queries across multiple
FlowCollectors
Scalability of data sources Single Defense Center can support
over 100 sensors, one database
Up to 50,000 sources (routers / switches /
firewalls)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Sourcefire FireAMP Lancope StealthWatch
Detection of threats using file analysis Detection of threats using traffic analysis
File analysis is not 100 percent effective but those that
are detected are quarantined.
Detect malware created to evade file analysis or
packet inspection. Remediation is performed
leveraging other technologies (firewall, IPS, traffic
scrubber, host quarantine, etc)
‘Retrospective’ detection can alert to older malware
when new intelligence is added to the cloud
User activity recorded and available for both real time
and historic analysis of suspect hosts spanning
months/years.
Client support depends on platform. Network
inspection requires a distributed deployment of
FirePOWER devices.
Monitors all host activity regardless of machine type,
recording transactions for analysis.
FireAMP shows machines infected chronologically,
how the file moved and proliferated but does not show
flow information,
StealthWatch has extensive history of all network
communication made by infected hosts to determine
the potential exposure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
BEFOREControl
Enforce
Harden
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
Attack Continuum
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
Lancope StealthWatch System
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Pervasive visibility across the attack continuum
• Focus on threats in addition to policy
• Provide holistic view into all host-to-host communication
• Reduce complexity, increase capabilities
• A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests
• Enabled by world-class research & open source
An Architectural Approach