Transcript Slide 1

Discover, Determine & Defend
Anders Eriksson
Nordic-Baltic Regional Manager
phone +46 70 941 48 00
email [email protected]
Agenda
Introduction to Sourcefire
Redefining Intrusion Prevention
Sourcefire 3D Solution Overview
Sample Applications
Q&A
Introduction to Sourcefire
Anders Eriksson
Nordic-Baltic Regional Manager
phone +46 70 941 48 00
email [email protected]
About Sourcefire, Inc.
Founded in 2001 by Martin Roesch,
the creator of SNORT®
HQ in Columbia, Maryland, US
• EMEA HQ in UK
• Nordic/Baltic office in Stockholm
• Germany, Paris, The Netherlands
800% growth over past three years
Staff 160+
Privately held and profitable
Registration Statement filed for IPO
Comprehensive intrusion prevention;
The integration of Threat, Endpoint,
and Network Intelligence
Hybrid Business Model
open source
+
Enterprise Class
Solutions & Support
Leveraging a Powerful Community
Worlds most
widely deployed
Intrusion Detection &
Prevention Technology
Sourcefire Industry Recognition
RSA Innovator Award – February 2005
• “The real competition was for second place”
NSS Gold Award – April 2005
• “Only the fifth time that a product earned this designation”
SC Magazine IPS Group Test – July 2005
• Bested 11 vendors including ISS, McAfee,
& Tipping Point
• “Sourcefire 3D System –
Best IPS out there on the market”
Worldwide Total Network-Based IDS/IPS
Market Share Growth
Source:
Infonetics Research, Inc, Network Security Appliances and Software,
August 29, 2006
Users of Sourcefire Solutions
Banking
Telecom
Government Agencies
Energy & Utilities
On-line Gaming & Commerce
Redefining Intrusion Prevention
Anders Eriksson
Nordic-Baltic Regional Manager
phone +46 70 941 48 00
email [email protected]
Gartner’s view on Intrusion Prevention
“IDS is dead”
– Said in 2003 by Gartner
A bad day at Sourcefire...
“Providing endpoint and network intelligence to network
security products significantly improves their capabilities
and limits the obstacles to a successful deployment.
Organizations deploying network security products should
look for their integration with vulnerability assessment and
network intelligence solutions.”
– Said in 2005 by Gartner Research Director, Amrit Williams
...turns out to be fantastic!
Next Generation Real-time Network Defense
Gartner Requirements
Sourcefire 3D Solution
Near Continuous Scanning
Real-time discovery
System Change Alerts
Identify “unmanaged” nodes on network
Receive frequent vulnerability updates


Real-time notification

Real-time vulnerability database
Real-time notification
Ongoing monitoring for baseline
compliance, vulnerabilities, and threats
Real-time monitoring for
baseline compliance,
vulnerabilities, and threats

Standards-based interface to firewall,
anti-virus and intrusion prevention
systems to support rapid shielding
ABC (Alert, Block, or Correct)
and Remediation Modules

Gartner Research Note:
Security Management Strategies and Processes
Strategic Planning, SPA-21-3635
From Niche Player to Leader in 1½ year
IDS Vendors – 2004 Q2
IPS Vendors – 2005 Q4
What True Intrusion Prevention gives you
Traditional Intrusion Prevention Systems
• Very expensive noise generator
• False positives a major issue
• Gartner say 99 out of 100 alerts mean nothing
• Confidence level low – only small amount
•
of threats can be safely blocked
Can you afford to staff up on Analysts to
make systems usable?
With Sourcefire 3D System
• Over 99% reduction of events
• Know what events are real and their criticality
• Know if critical assets have been compromised
• Automate time-consuming manual processes
• Analysts can focus on what’s important
• System provides real-time network defense
• We call it True Intrusion Prevention
All the Time
All the Time
Technology
Threat, Endpoint, and Network Intelligence
Asset Mgmt.
Vulnerability Mgmt.
Policy Compliance
Configuration Mgmt.
Incident Response
Intrusion Detection
Intrusion Prevention
Event Management
and Forensics
Access Control
Policy Enforcement
Network Behavior
Analysis
Policy-Driven Automation
PRE-ATTACK
Know what Assets
are on your Network
and their Vulnerabilities
ATTACK
POST-ATTACK
Attack Recognition
& Interdiction
Identify Compromises,
Contain or Remediate
Applications
All Threats & all Vectors
Unknown and engineered attacks
Based on a 2005 study of more than 32 million
vulnerability assessment scans within its customer
base, Qualys Inc. found that on average, companies
take about 48 days to patch 50% of the internal
systems that could be exposed to a critical
vulnerability. Most damage is done within the
first 15 days of an exploit release.
Infrastructure
Attacks
According to the
Secret Service/CERT
E-Crime Watch
Survey, the mean
loss estimated by
respondents was
just over $500,000.
X
X
Insiders
In an annual study by
IDG and
PricewaterhouseCoopers,
current employees account
for 33% of network security
threats, both intentional and
unintentional.
X
X
X
X
Partners
Unknown Connections
The 2005 CSI/FBI Crime Computer and
Security Survey reports that 66% of the
security incidents that caused the greatest
organizational losses in 2004 were unauthorized
access and theft of proprietary information.
X
X
X
In a survey jointly
done by ASIS
International and the
U.S. Chamber of
Commerce, 138
executives of Fortune
1000 companies
reported losses
between $53 billion
and $59 billion due
to insider attacks.
Sourcefire 3D
Solution Overview
Sourcefire 3D – the three D’s of true IPS
Sourcefire 3D Solution a Little Closer
• Using SNORT’s powerful, flexible and
completely open rules language
• Detection and blocking of all known threats
• Protocol analysis for unknown and zeroday threats
• Passive discovery of all network assets
• Adding business context to the assets
• Selective target-based active scanning
• Network flow information
• Discovery of communications patterns
between network assets
• NBAD, discover changes in behavior
Sourcefire 3D – Components Overview
Intrusion Sensor Appliances
RNA (Real-time Network Awareness)
Software running on RA
and/or IS Appliances
Intrusion Agents
loaded on
your own
Open Source
Snort®
sensors
Defense Center Appliance
Web browser
Syslog, SNMP,
helpdesk systems,
e-mail, SMS etc.
IPS in-line blocking
or Remediation via
firewalls, routers,
switches etc.
Remediation via
Nessus active scan,
Shavlik patch &
configuration
management etc.
Sourcefire Intrusion Sensors
Snort-powered IDS / IPS offers the most comprehensive
rule set to detect all attacks
Rules are open – you can see what triggered an event
Viruses, trojan horses, worms, DoS, VOIP, malware,
OS/applications exploits, and other threats
Detects known threats via deep-packet inspection
Detects unknown threats via
• Vulnerability trigger conditions
• Anomaly detection
Sourcefire VRT (Vulnerability Research Team) experts
keeps up-to-date on new threats and vulnerabilities
Traps and traces the traffic associated with any attack
Intrusion Sensors
Passive Mode
Monitor, alert, defend via
Remediation Modules
In-line Mode
Alert, block
or drop traffic
RNA – Real-time Network Awareness
Real-time continuous passive discovery and
multi-vector profiling
Network Asset awareness
• Operating system vendors, versions & service packs
• Services vendors & versions
• Ports & protocols
• MAC & IP addresses
• Vulnerabilities
Behavioral awareness
• Traffic
• Peers
Criticality awareness
• Qualitative
• Quantitative
“Magic eye that watches everything happening on your network.”
– Network World
RNA vs. Active Scanning
Real-time Discovery
Active Scanning
24*7 discovery
Intermittent
Non-invasive –
uses passive technologies
Invasive
(potentially destructive)
Dynamic awareness –
know exactly what is on the
network at any point in time
Static awareness –
run intermittently
(often in off hours)
No network effect
Consumes network bandwidth
Personal firewalls not an issue
Personal firewalls
(e.g. SP2, Checkpoint, Sygate)
block scans
No need for “No Scan Zone”
Frequently, mission
critical systems are on
“No Scan Zone”
RNA – Real-time Network Awareness
Without Sourcefire
Expensive noise generator
Many false positives and negatives
“99 out of 100 alerts mean nothing”, Gartner
Confidence level low
Few threats can be safely blocked
No knowledge of endpoints and their
vulnerabilities
Don’t know what asset being targeted by the
attack
No correlation – can’t prioritize events
With Sourcefire
IPS driving real-time defense
Know that events are real
Know the criticality of events
Know if critical assets have been
compromised
Automate time-consuming manual
processes
Get correlated threat, endpoint, and network
intelligence and have the most accurate
threat data in front of you
RNA – NBAD (Network Behavior Anomaly Detection)
Know where your mission critical systems stand
Continually visualize & analyze packets, assets & data flows
Identify and track anomalies such as DDoS attacks, worms
and zero-day threats from any entry point
Detect and shut down illegal mail servers, rogue desktop
applications including desktop web servers
Enforce corporate policies for P2P restrictions such as Kazaa
and instant messaging
Sourcefire Defense Center
Alerting
• Real-time notification via all mainstream methods
• Programmatic interfaces support unlimited integration
• Streaming API
• Bi-directional command & control interfaces
Blocking
• Wire-speed interception of network threats
• Isolation and containment leveraging existing network
infrastructure
• Switches
• Routers
• Firewalls
Correction
• Patch or Configuration Management
• System and Network Management
• Asset management
Sourcefire Defense Center
Sourcefire Defense Center
Event correlation
• Correlates and prioritizes
attack data against the true
network layout and changes
Command and control
• Centrally administers all
your IS & RNA sensors
3D visualization
• Gives you clear picture of your
networks and all REAL attacks
Very low TCO
• Plug-n-Protect appliance
• Built-in, high performance database
• Integrated data management capability gives you the power to
manage all of your events, scaling to enterprise deployments without
having to license additional DB licenses
Sourcefire Defense Center
Helps document compliance with
•
•
•
•
•
•
Federal Information Security Management Act (FISMA)
Gramm Leach Bliley (GLB) Act
Health Insurance Portability & Accountability Act (HIPAA)
Sarbanes Oxley (SOX) Act
Security Breach Information Act (SB 1386)
Visa/MC Processing Card Industry’s (PCI) Data Security
Standard
“In the PCI standard, it states we must use network intrusion detection systems, hostbased intrusion detection systems, and/or intrusion prevention systems to monitor all
network traffic and alert personnel to suspected compromises. There are two kinds of
IDS/IPSs on the market. One, you plug in and don’t ever want to hear from again. Then
there’s the other kind that lets you get useful information about your network. That’s
what we have with Sourcefire.”
Michael Morgan
Network Security Administrator
BankersBank Card Services
One-Click Compliance
Automating IT Compliance
One-Click Policy Baseline Development
• Operational networks, sub-nets, and/or individual assets used to auto-generate policies
Flexible Response Capabilities Automate Enforcement
•
•
•
•
Network access control
Vulnerability discovery & remediation
Compromise containment (incident response)
Network policy enforcement
Passive Discovery Methods Allow Persistent, Real-Time Monitoring
& Enforcement
• Virtually no impact on
network performance
Configurable
Dashboard
& Reporting
• Emphasis on simplified
administration
True Intrusion Prevention – The Better Way
Sourcefire is the fastest growing company in the space due to its market-driven
solution, innovation, and value.
Gartner has moved Sourcefire to the front on the pack for “ability to execute” and
“completeness of vision” in its latest Network Intrusion Prevention Appliance magic
quadrant.
The true intrusion prevention approach gives you the best of both worlds: open source
community power and commercial innovation.
With this approach, you leverage the best industry technologies from Check Point
Software Technologies and Sourcefire (including Snort).
You save money and time
• 90% reduction in alerts
• Provides automation wherever possible (and requested)
• Uses Plug-n-Protect appliances
Bottom line—it’s the most effective security to protect your:
• Revenue
• Reputation
• Regulatory compliance
Global Alliances
Nokia
•
•
•
•
OEM of native Sourcefire 3D suite of software (IS, RNA and DC)
Nokia IPS running on IP390 (250 or 400 Mbps) for IS and RNA
Nokia will introduce more platform options in 2007
Sold & supported by Nokia Channel Partners
Nortel
• OEM of Sourcefire 3D suite of software
• Re-branded to Nortel TPS (Threat Protection System)
IBM
• Closely aligned with IBM Global Services, Strategic Outsourcing
• Using IBM eserver x346 in some appliances
X-beam
• Sourcefire 3D software running on Crossbeam X- series
• Meet-in-the-Channel-model
Q&A
In-depth
Appliance Overview
Intrusion Sensors – 45 Mbps to 1 Gbps
Intrusion Sensors – 1.5 Mbps to 4 Gbps
RNA Appliances – 45 to 500 Mbps
Defense Center Appliances
900 or 1300 IDS events/sec, 10 or 100 million IDS events in DB, 1 or 10 million RNA or RNA Flow events
In-depth
Remediation functions
Joakim Johansson
CISSP, SFCE
Security Engineer - Nordic/Baltic
CheckPoint OPSEC SAM (Rule Response)
- Responses triggered
by the Sourcefire
Intrusion Sensor
- Can be used on a
standalone Intrusion
Sensor
For how long will the
OPSEC rule be active
in the firewall
Action to take
CheckPoint OPSEC SAM (Remediation Response)
Response is taken on the Sourcefire RNA and/or the Sourcefire
Defense Center based on policies created by the administrator
Block_traffic_in_firewall
Sample Applications
The damage DoS attacks can make
DoS (denial-of-service) attacks is a constantly growing problem
for both ISP:s and organizations world wide.
The primary problem for an ISP:s are the bandwidth DoS
attacks consume. Annoyed customers how don’t get the
bandwidth they pay for. It could be more issues a DoS attack
causes except refuse access to a service.
For an organizations the primary issues often is more
significant, though they are the targeted victim.
• Lost income
• Service level
• Trust and reputation
Actions you have to take
To detect and stop DoS (denial-of-service) attacks you have to
able to:
• Baseline the networks in advanced
• Configure sinkholes for invalid routes
• Implement pattern/signature analysis tools
• Design and plan for remediation on implemented equipment
How Sourcefire 3D prevents DoS attacks
With it’s sophisticated Intrusion Sensor and RNA Sensor
Sourcefire can offer the markets best prevention methods for
both intrusion and denial-of-services
The Intrusion Sensor works in inline or passive mode and detects
and blocks DoS attacks using advanced rules and signatures
When adding RNA Sensors to the solutions you get an advanced
analysis tool that tracks flows and statistical data
Sourcefire
Passive Mode
Sourcefire
Inline Mode
Block Traffic
Drop Traffic
Alert
Monitoring
Defend – Via the ABCs
DoS Attack Protection
- DoS attacks, blocked by 30+ DoS Rules
- Worm-propagation, blocked by Signatures
- Trojans, blocked by Signatures
ISP Network:
Check Point
Cisco IOS
Other
Network TAP (fail-open)
with port aggregation
100 Mbps IPS in-line
using fail-open NIC
TAP
Link to ISP
Customer
Sourcefire RNA passive
discovery; Assets, Flows, NBAD
100Mbps and 254 IP-addresses.
Sourcefire IS2000
Intrusion Sensor incl.
Real-time Network
Awareness Software
Sourcefire
Remediation Modules
used to reconfigure switches,
routers and firewalls to block traffic
- Flow Anomaly
- Service Anomaly
Management
Network
Sourcefire DC1000
Defense Center for
correlation of IS and
RNA events.
Unknown Exploit
1. Reconnaissance activity
detected by passive Intrusion
Sensor, events associated
with the target assigned
higher priority.
2. RNA detects change in the
behavior and/or composition
of the compromised asset.
Unknown Exploit
targeting unknown
Vulnerability
Sourcefire Intrusion
Sensor (in-line)
3. Correlated events trigger
remediation policy:
- Isolate compromised server
- Block attacker at firewall
- Direct configuration mgmt.
- Notify system administrator
4. In-line Intrusion Sensor policy
updated to prevent reoccurrence.

Patch Management
(or other solution)
Sourcefire Intrusion
& RNA Sensors
Sourcefire Defense Center
