Cisco, Sourcefire and Lancope - Better Together

50 %
50 %
Information about Cisco, Sourcefire and Lancope - Better Together
Technology

Published on February 28, 2014

Author: Lancope

Source: slideshare.net

Description

Technology overview for Sourcefire FireSIGHT and Lancope StealthWatch including:

• Core features and functionality
• Market positioning and differentiators
• Technology integration for effective incident response

Cisco, Sourcefire and Lancope – Better Together David Salter Technical Director, Lancope Inc. 26th February 2014 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

The Problem is © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Attack Continuum BEFORE AFTER Control Enforce Harden Network DURING Detect Block Defend Scope Contain Remediate Endpoint Mobile Point in time © 2013 Cisco and/or its affiliates. All rights reserved. Virtual Cloud Continuous Cisco Confidential 4

Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Anti-Virus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGFW UTM NAC + Identity Services NGIPS Advanced Malware Protection Web Security Email Security Lancope StealthWatch System Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Attack Continuum • BREADTH BEFORE • Monitor and profile network Control traffic and application data for up Enforce Harden to 25M+ hosts • Monitor policy • Provide intelligence to improve defenses • Identify precursors to an attack (example: reconnaissance) • DEPTH • Host map and risk profile up to 300K hosts • Identify application and services (over 2000) • Identify Operating Systems • Leverage network awareness as a component of NGIPS • help tune policy Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Attack Continuum • NETWORK FOCUS DURING • Leverages Cisco infrastructure Detect for detection Block Defend • Detection using behavioral profiles & statistical modeling • Detect attacks that do not violate policy (low and slow attacks, data loss) • Detect ongoing attacks (DDoS) • HOST/APPLICATION FOCUS • Network probes and host agents • DPI & rules engine (Snort) to alert/block vulnerabilities • Detect/block known bad files for specific host platforms • Leverage sandboxing to identify known bad file activity Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Attack Continuum • Track infection spread through AFTER the network Scope • Create a forensic trail of network Contain Remediate activities • Investigate activities post mortem • Reconstruct attack timeline • Provide file interaction history • Detect and remediate known bad files • Limits the proliferation of known bad files Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Feature Sourcefire FireSIGHT Lancope StealthWatch Data Source Enriched metadata generated by dedicated sensors, creates detailed network host map NetFlow/IPFIX from Cisco router, switches and firewalls, StealthWatch FlowSensor, and other flow sources Storage 500M events and 500M flow summaries, usually weeks of data or less Up to 4TB of storage per collector, usually many months or more. Many FlowCollectors attached to a single Management Console Event Rate Up to 10,000 events per second, based on appliance model 120,000+ flows per second per FlowCollector appliance. Scalability Based on Defense Center event database max Horizontal, support queries across multiple FlowCollectors Scalability of data sources Single Defense Center can support over 100 sensors, one database Up to 50,000 sources (routers / switches / firewalls) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

Sourcefire FireAMP Lancope StealthWatch Detection of threats using file analysis Detection of threats using traffic analysis File analysis is not 100 percent effective but those that Detect malware created to evade file analysis or are detected are quarantined. packet inspection. Remediation is performed leveraging other technologies (firewall, IPS, traffic scrubber, host quarantine, etc) ‘Retrospective’ detection can alert to older malware when new intelligence is added to the cloud User activity recorded and available for both real time and historic analysis of suspect hosts spanning months/years. Client support depends on platform. Network inspection requires a distributed deployment of FirePOWER devices. Monitors all host activity regardless of machine type, recording transactions for analysis. FireAMP shows machines infected chronologically, StealthWatch has extensive history of all network how the file moved and proliferated but does not show communication made by infected hosts to determine flow information, the potential exposure © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGFW UTM NAC + Identity Services NGIPS Advanced Malware Protection Web Security Network Behavior Analysis Email Security Lancope StealthWatch System Visibility and Context © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

An Architectural Approach • Pervasive visibility across the attack continuum • Focus on threats in addition to policy • Provide holistic view into all host-to-host communication • Reduce complexity, increase capabilities • A platform strategy addressing a broad range of attack vectors – everywhere the threat manifests • Enabled by world-class research & open source © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

Thank you.

Add a comment

Related presentations

Related pages

Cisco, Sourcefire and Lancope - Better Together | Lancope

Technology overview for Sourcefire FireSIGHT and Lancope StealthWatch including: Core features and functionality Market positioning and differentiators
Read more

Cisco and Sourcefire - Better Together - Cisco Systems

Better Together. We asked customers ... of Sourcefire, Cisco is uniquely positioned to ... about the benefits Sourcefire brings as we move forward together ...
Read more

CTD | Lancope

insider threat federal CTD Cisco cyber threat ... Sourcefire and Lancope - Better Together. Technology overview for Sourcefire FireSIGHT and Lancope ...
Read more

Cisco and Sourcefire: Better Together - YouTube

... we asked attendees what they think about Cisco's acquisition of Sourcefire and recorded their ... Cisco and Sourcefire: Better Together
Read more

Cisco and Sourcefire: Better Protection Before an Attack ...

With the acquisition of Sourcefire, Cisco offers the ability to act ... Cisco and Sourcefire: Better Protection ... Cisco and Sourcefire: Better Together.
Read more

Better Together - A Customer's Perspective on Cisco ...

Better Together - A Customer's ... Perspective on Cisco Acquiring Sourcefire ... Financial bank--a long-time Cisco and Sourcefire customer--as ...
Read more

Sourcefire | LinkedIn

... Cisco SourceFire ... Cisco, Sourcefire and Lancope - Better Together. 8,250 Views. intrudere. Sourcefire Vulnerability Research Team Labs. 1,422 Views. ...
Read more