Cisco, Sourcefire and Lancope - Better Together

Cisco Confidential© 2014 Cisco and/or its affiliates. All rights reserved. 1

Cisco, Sourcefire and Lancope – Better TogetherDavid SalterTechnical Director, Lancope Inc.

26th February 2014

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

The Problem is


BEFOREDetect

Block

Defend

DURING AFTERControl

Enforce

Harden

Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous


BEFOREControl

Enforce

Harden

DURING AFTERDetect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Visibility and Context

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM/NAC

IPS

Anti-Virus

Email/Web

IDS

FPC

Forensics

AMD

Log Mgmt

SIEM



Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Lancope StealthWatch System

Attack Continuum

BEFOREControl

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate



Attack Continuum

BEFOREControl

Enforce

Harden

• DEPTH

• Host map and risk profile up to

300K hosts

• Identify application and

services (over 2000)

• Identify Operating Systems

• Leverage network awareness

as a component of NGIPS

• help tune policy

• BREADTH

• Monitor and profile network

traffic and application data for up

to 25M+ hosts

• Monitor policy

• Provide intelligence to improve

defenses

• Identify precursors to an attack

(example: reconnaissance)

http://images.google.com/url?sa=i&rct=j&q=Sourcefire+logo+png&source=images&cd=&cad=rja&docid=yRGUfHokYH5GNM&tbnid=7-PgSNuijx5aFM:&ved=0CAUQjRw&url=http://siliconangle.com/blog/2013/07/24/cisco-acquires-sourcefire-in-2-7b-cybersecurity-deal/sourcefire-logo/&ei=k9n_Ua7IA6PjiALO94DAAQ&psig=AFQjCNHDqJTdFH7HD4bqK3XggsajYjw7pQ&ust=1375808269940446



Attack Continuum

DURINGDetect

Block

Defend

Visibility and ContextVisibility and Context

Attack Continuum

• NETWORK FOCUS

• Leverages Cisco infrastructure

for detection

• Detection using behavioral

profiles & statistical modeling

• Detect attacks that do not violate

policy (low and slow attacks, data loss)

• Detect ongoing attacks (DDoS)

• HOST/APPLICATION FOCUS

• Network probes and host

agents

• DPI & rules engine (Snort) to

alert/block vulnerabilities

• Detect/block known bad files

for specific host platforms

• Leverage sandboxing to

identify known bad file activity




Attack Continuum

AFTERScope

Contain

Remediate


Attack ContinuumAttack Continuum

• Track infection spread through

the network

• Create a forensic trail of network

activities

• Investigate activities post

mortem

• Reconstruct attack timeline

• Provide file interaction history

• Detect and remediate known

bad files

• Limits the proliferation of known

bad files




Feature Sourcefire FireSIGHT Lancope StealthWatch

Data Source Enriched metadata generated by

dedicated sensors, creates detailed

network host map

NetFlow/IPFIX from Cisco router, switches

and firewalls, StealthWatch FlowSensor,

and other flow sources

Storage 500M events and 500M flow

summaries, usually weeks of data or

less

Up to 4TB of storage per collector, usually

many months or more. Many FlowCollectors

attached to a single Management Console

Event Rate Up to 10,000 events per second,

based on appliance model

120,000+ flows per second per

FlowCollector appliance.

Scalability Based on Defense Center event

database max

Horizontal, support queries across multiple

FlowCollectors

Scalability of data sources Single Defense Center can support

over 100 sensors, one database

Up to 50,000 sources (routers / switches /

firewalls)


Sourcefire FireAMP Lancope StealthWatch

Detection of threats using file analysis Detection of threats using traffic analysis

File analysis is not 100 percent effective but those that

are detected are quarantined.

Detect malware created to evade file analysis or

packet inspection. Remediation is performed

leveraging other technologies (firewall, IPS, traffic

scrubber, host quarantine, etc)

‘Retrospective’ detection can alert to older malware

when new intelligence is added to the cloud

User activity recorded and available for both real time

and historic analysis of suspect hosts spanning

months/years.

Client support depends on platform. Network

inspection requires a distributed deployment of

FirePOWER devices.

Monitors all host activity regardless of machine type,

recording transactions for analysis.

FireAMP shows machines infected chronologically,

how the file moved and proliferated but does not show

flow information,

StealthWatch has extensive history of all network

communication made by infected hosts to determine

the potential exposure


BEFOREControl

Enforce

Harden

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

Attack Continuum


Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis

Lancope StealthWatch System


• Pervasive visibility across the attack continuum

• Focus on threats in addition to policy

• Provide holistic view into all host-to-host communication

• Reduce complexity, increase capabilities

• A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests

• Enabled by world-class research & open source

An Architectural Approach

Thank you.

Cisco, Sourcefire and Lancope - Better Together

Technology

Transcript of Cisco, Sourcefire and Lancope - Better Together