pvt summer2014securitypartnervirtualteam pvt liveevent generalsession jul08 201 sourcefireampupdate

Sourcefire FireAMP Update

Eric Kostlan Technical Marketing EngineerSecurity Technology Business Unit

July 8, 2014

Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved.

Session Objectives Introduction Cisco AMP Features and Design Unique Business Value Product Roadmap Demonstration Additional Resources


At the end of the session, the participants should be able to:

Describe how AMP Everywhere gives customer unprecedented visibility and control.

Understand design concepts central to core AMP functionality Explain AMP Product Roadmap direction and features at a high level

Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6Sourcefire Confidential Internal or Partner Use Only

Attackers are determined and resourceful Malware still getting on devices, detection not 100% Point-in-time detection is not sufficient Integrated response required to be effective Advanced Malware Protection must be pervasive

AMP solves business problems Where do I start? What is the scope and how bad is the situation? What was the point and method of entry? Can I control and remediate across gateways, networks,

and endpoints?

2014 Cisco and/or its affiliates. All rights reserved.


BEFOREControlEnforceHarden

ControlEnforceHarden

DURINGDetectBlock

Defend

DetectBlock

Defend

AFTERScope

ContainRemediate

ScopeContain

Remediate

Network

Endpoint

Comprehensive Security Solutions

File RetrospectionFile Trajectory

Contextual AwarenessControl Automation

File RetrospectionFile TrajectoryDevice TrajectoryFile Analysis

Indications of CompromiseOutbreak Control

In-line Threat Detection and Prevention

File Execution Blocking


Reputation Filtering and Behavioral Detection


Spero is one of the detection engines in the AMP Cloud Provides zero-day detection

Creates a feature print of a file Structural information Referred DLLs PE header

Send this feature print to the AMP Cloud Matches machine learned data trees and returns disposition

Spero is available in AMP for Network and Windows Endpoint Connectors

Spero Engine: Big Data and Machine Learning


Admin Portal Deployment and Management Network and Endpoint Protection Tracking and Outbreak Control

Device Trajectory File Trajectory Threat Root Cause

Offloads Heavy Analysis from the Connector Collective Security Intelligence

AMP Cloud Features

AMP Cloud


Managed and Deployed from the Cloud File Activity (Created/Edit/Move/Execute)

One-to-One/Spero/EthosSimple and Advanced Custom Detections

Retrospective Alertingand Quarantine

Application Control Network Flow Correlation

Black/White Lists Dynamic Analysis

AMP CloudPrivate Cloud

AMP for Endpoints


AMP for Endpoints CapabilitiesCapabilities Windows Mac AndroidHash Lookups SHA256 SHA256 SHA1

Ethos Spero Simple Custom Detections Advanced Custom Detections Retrospective Alerting File Quarantine Device Flow Correlation Application Control Supported Clouds Public, Private Public Public


FireSIGHT Management Console(Defense Center)

FirePOWER Appliance

AMP for Networks

VRT Dynamic Analysis Cloud

File Submitted forDynamic Analysis

(by policy)File Disposition queried

against AMP Cloud(SHA256, Spero)

- Carves Files from Network Flows- Stores Locally- Calculates Hash for Lookup(by policy)

Configuration (policy) -File Trajectory -

AMP Events Correlation -

Manual Dynamic Analysisfor Endpoint Connectors

AMP Cloud

Managed byFireSIGHT Management Center

File DetectionOne-to-One SHA256

Spero

File Trajectory Retrospective Alerting Dynamic Analysis

Policy based automatic file submission

Public Cloud OnlyPrivate cloud available in 5.4



FirePOWER Appliance

AMP for Networks Integrated with AMP for Endpoints

VRT Dynamic Analysis Cloud


(by policy)File Disposition queried

against AMP Cloud(SHA256, Spero)

- Carves Files from Network Flows- Stores Locally- Calculates Hash for Lookup(by policy)


AMP Events Correlation - Link to AMP Public Cloud for Endpoint Connector Events

EndpointConnectors


AMP Cloud


Admin portal for rapiddeployment and management

Anonymized file disposition lookups

Retrospective Analysis Device Trajectory File Trajectory Root Cause Tracking and Outbreak Control

FireAMP Private Cloud Design

(Not available until 5.4)


Public Cloud Communication and Retrospection

File Query, Enterprise(Connector ID, SHA, Spero, Ethos)

Response Disposition

Connectors

PING2 Query

Changed Disposition

Retrospective

Queue

SHA C

onviction

AMPCloud


Private Cloud Communication and Retrospection

File Query, Enterprise First / Unique(Connector ID, SHA, Spero, Ethos)

Spero, Ethos(Locally evaluated)

Retrospective

Queue


Upstream File Query(Device ID, SHA)


Retrospective

Queue

SHA C

onviction

Changed Disposition

Changed Disposition

PING2 Query

PING2 Query

ConnectorsOn-premiseAppliance

AMPCloud

File Query, Previously Seen in Ent.(Connector ID, SHA, Spero, Ethos)

Spero, Ethos(Locally evaluated)



FireSIGHT

FireAMP FirePOWERASA

ESAWSACWS

Dynamic Analysis

Dynamic AnalysisFireAMP Private Cloud

Events / Correlation

Cloud Connected

On-Premises

Endpoint Network Gateway Sandbox

Out-scoping the competition. Cisco has the most comprehensive strategy for Advanced Malware Protection.

AMP Everywhere



ASA Cluster withSourcefire Virtual Sensor

FirePOWER Services on the ASA


File Disposition queried against AMP Cloud

(SHA256, Spero)


AMP Events Correlation -


Cisco Security Manager

VRT Dynamic Analysis Cloud AMP Cloud

Link to AMP Public Cloud for Endpoint Connector

Events

EndpointConnectors


Broad traffic mix(HTTP, SMTP, FTP, SSH, BitTorrent)

Multiple file types(PDF, MP3, FLV, JPG, EXE)

Low file volume (30%) tests

High file volume (50%) tests

Results fed into PerformanceEstimator

Estimator to be available on Ciscointranet

Performance Testing Methodology and Estimator


~ 30-35% of IPS throughput

~ 60-70% of NGFW throughput

Assumes NGFW/IPS/File policies enabled

Guideline applies to standard FirePOWER appliances and modules

Dedicated AMP appliances have AMP throughput in Data Sheet

Advanced Malware ProtectionAccess Control RulesIPS PolicyApplication ClassificationFile PolicyCloud Malware Lookups

Model IPS(Mbps) IPS+NGFW IPS+NGFW+AMP3D8390 60000 30000 210003D8370 45000 22500 165003D8360 30000 15000 105003D8350 15000 7500 4500

AMP Throughput Guidelines


Beyond the Event Horizon

Antivirus

Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Initial Disposition = Clean

Cisco AMP

Blind to scope of compromise

Actual Disposition = Bad = Too Late!!

Turns back timeVisibility and Control are Key

Not 100%Analysis Stops

Sleep TechniquesUnknown ProtocolsEncryptionPolymorphism

Actual Disposition = Bad = Blocked

Retrospective Detection,Analysis Continues


McAfeeFireEye (With Mandiant)Palo Alto Networks

(with Cyvera)

Mature player with roots as AV consumer supplier

Stonesoft has good third party results. Class one competitor in IPS space Intel acquisition has allowed internet of

things for McAfee.

Architecturally superior to McAfee, which still banks on Sandboxing for dynamic analysis

AMP is well integrated with Firepower platforms. Does not require separate box for Malware detections.

Supported by superior IPS.

Why Cisco?

Sandbox technology. Different technology used for inspection,

remediation etc. Difficult to choose a solution, as offerings

are really confusing. Snort is not integrated well

CompetitorWeaknesses

CompetitorStrengths

Multi Vector Technology, a innovation over regular sandboxing.

Mandiant added to product profile as an end point solution.

Easy to deploy and manage.

End point presence with Cyvera acquisition.

Cyvera will address poor IPS coverage. By interoperating with Wildfire.

Threat prevention with global intelligence sharing with Wildfire.

Always allow the first threat. Lack of end point solution has made it worst.

Lack of good IPS creates lots of false positives.

Remediation takes min to hours. Solution sweeps the network to find infected host.

Cannot inspect encrypted traffic.

No solution for after phase in Attack continuum. No remediation capabilities.

No Scope determination capabilities. Cyvera detection technology has

performance overhead. Management integration will be tricky.

Superior Malware detection technology (Big-data).

Better visibility and scope determination. Superior Remediation and Control

Capabilities Visibility into encrypted traffic. Better protection for mobile endpoint. Resistance from sandbox evasions. Better coverage with AMP on ESA/WSA.

Addresses all above Cyvera weaknesses. Cisco addresses all phases of attack continuum.

Solutions for after phase with remediation, retrospection and scope determination.

Better end point protection for mobile endpoints.

Superior IPS technology.

Competition


S

e

c

u

r

i

t

y

E

f

f

e

c

t

i

v

e

n

e

s

s

TCO per Protected-Mbps

Cisco Advanced Malware Protection

Best Protection Value

99.0% Breach Detection Rating

Lowest TCO per Protected-Mbps

NSS Labs Security Value Map (SVM) for Breach Detection Systems

Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 28

FirePower v5.3 0-day malware detection (cloud based

sandbox) File capture and storage Custom file detection\blocking Host and network malware event correlation

Advanced Malware Protection Roadmap SummaryQ114 Q214 Q314 Q414 Q115

C

l

o

u

d

a

n

d

C

o

n

n

e

c

t

o

r

D

e

l

i

v

e

r

y

M

o

d

e

l

FireAMP 5.0 /Connector 4.0 Endpoint OpenIOC License Enforcements

FireAMP Private Cloud 1.0 Virtual Appliance Proxied Cloud w/ Local Mgmt and Reporting

FireAMP 4.5.2 /Connector 3.1.9 Remote File Extraction

FireAMP 4.5 Cloud IOC Support Elastic Search Low Prevalence Report

FireAMP Private Cloud 2.0 Air-gapped License Enforcements

Legend:

Endpoint ComponentNetwork ComponentContent ComponentCommon Use

O

n

-

P

r

e

m

i

s

e

D

e

l

i

v

e

r

y

M

o

d

e

l

(

a

b

o

v

e

p

l

u

s

t

h

e

s

e

)

Dynamic Analysis Local Dynamic Analysis

(Sandboxing) ThreatGRID On-prem Integration

AMP 8150, 7150 New FirePOWER models with

increased memory and CPU cores (for file functions)

FireAMP 5.1 Role-based Access Control

(RBAC) Support Portal Risk Reports

CYFireAMP Linux Connector 1.0 Linux Support

Mac OSX Connector 1.0 Mac OSX Support

FirePower SSL Integrated SSL Decryption, Private Cloud Support EU Cloud support File archive(.zip) support UTF8 filename display

AMP on Web/Mail/Cloud (ESA/WSA/CWS)

File Disposition Look-ups 0-day malware detection (cloud based

sandbox)

AMP on Web/Mail/Cloud (ESA/WSA/CWS)

Private Cloud Support

Custom file detection\blocking

Mac OSX Connector 1.x Parity Completion

FirePower ASA AMP (Sourcefire) on ASA

Dynamic Analysis ThreatGRID Cloud Integration


The Key Takeaways of this presentation were:

AMP utilizes a variety of on-box engines and cloud services Integration of AMP for Endpoints and AMP for Networks enhances AMP

capabilities

ASA provides AMP capabilities by means of an on-box FirePOWER virtual sensor (AMP for Networks)

AMP provides competitive advantages to several Cisco products


The following will be demonstrated:

AMP for Endpoints AMP for Networks File Trajectory


An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox

At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8

Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application

The file is copied yet to a fourth device (10.5.60.66) through the same SMB application a half hour later

The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.

At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware

8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.


Sourcefire IQ Centerhttps://sourcefire.learn.taleo.net

NSS Reporthttps://info.sourcefire.com/NSSBreachDetectionReportSEM.html?gclid=CL_lnJH0-L4CFQWTfgodyhQAsg

dCloud Demonstration Podshttp://dcloud.cisco.com

Partner Education Connectionhttp://www.cisco.com/web/learning/le36/learning_partner_e-learning_connection_tool_launch.html

Thank you.

pvt summer2014securitypartnervirtualteam pvt liveevent generalsession jul08 201 sourcefireampupdate

Documents