VIEWS: 5 PAGES: 43 POSTED ON: 6/13/2012
Sourcefire 3D™ System for Enterprise Threat Management Dominic Storey Technical Director, Sourcefire EMEA Who Is Sourcefire? Mission: To help customers manage increasing risks and regulations by providing the most effective, efficient security possible—driven by network intelligence. Founded in 2001 by Snort Creator, Best of Both Worlds Martin Roesch . . . . . . ..... . Headquarters: Columbia, MD . Open Source Community . . . . . . Employees: More than 240 More than 1,500 enterprise and government customers . . Over 25 of the Fortune 100 are customers. . + Corporate . Global partner/distributor network Support & Innovation . NASDAQ: FIRE How Sourcefire is Different—Leveraging The Snort Community Global base of skilled Global base of skilled security professionals – security professionals giving customers great –broad well-trained access toaccess to well- trained personnel personnel. Sourcefire VRT is augmented by the resources of the community—giving customers the world’s largest threat response team. The Real Problem to be Solved Who are my Where are my enemies? weaknesses? Skilled, Empowered, Intelligent Staff What are What can I they doing? do about it? Reassessing Enterprise Threat Management Security spending is dramatically growing as a percentage of the overall IT budget… Intrusion Vulnerability Prevention Assessment Threat 17% Endpoint Network 13% Intelligence 11% 11% Network Network Behavior Access '03 '04 '05 '06 Analysis (NBA) Control (NAC) Source: 2006 CIO/CSO/PWC State of Info Security Survey Systems must work more 160,000 $9,000 intelligently to solve the 140,000 $8,000 Yet the threats core problems 120,000 $7,000 keep coming! A 100,000 $6,000 new approach $5,000 is needed. (millions) 80,000 $4,000 60,000 $3,000 40,000 $2,000 20,000 $1,000 0 $0 1995 1996 1997 1998 1999 2000 2001 2002 2003 Incide nts Se curity Software Re v e nue Today’s Threat Landscape Undetected Attacks External Attacks Vulnerabilities and compromised Trojans, viruses, worms, phishing .. machines may lay dormant for Not protected by firewalls. Requires months, awaiting an attacker to IPS exploit them. Requires vulnerability Intrusion Vulnerability awareness and end-point intelligence. Prevention Assessment Network Intelligence User Intelligence Network Network Behavior Access Porous Perimeter Analysis (NBA) Information Leakage Control (NAC) Every machine a peering point Point-point VPNs + desktop and Laptops carry infection past mobile internet connections firewalls. Requires IDS provide ample opportunity. Requires compliance monitoring and enforcement Introducing the Sourcefire 3D System Monitors network Provides network traffic and endpoint Leverages Sourcefire intelligence Sourcefire IPS Sourcefire RNATM VRT Rules to identify Provides passive malicious traffic and active methods In-line or passive of discovery mode of operation Defense Center Sourcefire RNATM Sourcefire Remediation Baselines normal Automates security behaviour of network response Sourcefire RUATM devices and alerts on Interfaces with your exception security ecosystem Maps identity of users to networked Centrally manages, enforces, and reports computers on security, policy, and compliance Correlates and analyzes events Provides sensor lifecycle management and system health status Sourcefire 3D System Components Discover Determine Defend In-line IPS SSL-encrypted Sensing VPN (Port 8305) Email, SNMP, Network Syslog,SSL Passive In-line RNA DC Typically. 1Kb / event Firewall, IPS, Switchers, Routers Passive Management In-line RUA Network Typically. Configuration and 100b / event Compliance Mgmt. G/bit Passive copper G/bit copper or fiber 3D Sensor Architecture Interface Intrusion Prevention Engines HTTPS: sets Apache Port 443 Pre-processors & Web Mgmt. Application Snort Rules Engine SSL: In-line Port 8305 Output RNA Detection Engines spooler Real-time Protocol Analyzer MySQL Database Fingerprint processor Passive Stand-alone RUA Detection Engines Services User Identifier / protocol decode SSH: UID Tracking Command & Port 22 Control subsystem SSL: Port 8305 If Sourcefire Made Cars… Sourcefire: The Car • Torque to motion Snort®: The Engine • Enterprise quality • 80+ OEMs • Enormous Community Snort® Rules: The Fuel • Open rule set • Rules, not signatures Vulnerability Research Team (VRT) 10 million dollar investment • 200 server regression test facility Write rules not signatures Full-time team: • Analyse vulnerabilities • Reverse-engineer patches VRT Regression Facility, Columbia MD Regular rules updates IPS is tougher than you think! Detecting something is easy Detecting something meaningful is a lot more difficult Making IPS un- evadable is vital Why Intrusion Prevention is HARD!! Fragment Offset Win32 B U F F F F E R O V R F L O B U F 1 FreeBSD B F U F F F E R O V R F L O E R 2 O V R 3 LaserJet F B U F F X V R F E R O X X F L O F F F F 4 Linux F B U F F X V R F E R O X X F L O X X X 5 IOS F B U F F X V R F E R O X X F L O t F L O 6 IIS MS Windows Linux F B U F F X V R F E R O X X F L O Intrusion Sensor SMTP Linux RPC SUN Reassembly Attacker Strategy? FTP HPUX To do a good job of detection, detection, Apache Mainframe you MUST understand the target!! The Service Problem Question: • How many different ways could you represent the letters ‘a’, ‘e’, ‘i’, ‘o’, ‘u’ in a URL? Answer: • > 83,060,640 !!! And that’s just using Microsoft web servers! Source: Eric Hacker : IDS Evasion with Unicode www.securityfocus.com 3D Sensor Capabilities Intrusion Prevention Threat Protection • Vulnerability, not exploit-based detection rules • ‘Instant on’ IPS rule set Open-Standard Rules Language • Modify any rule or create your own Protection Against • Industry-standard - over 150,000 Worms active users Trojans Forensics Port scans Buffer overflow attacks • View event data down to the packet Spyware level Protocol anomalies • View rules and data for auditable Malformed traffic decision making Invalid headers Performance Zero-day attacks • 5 Mbps to 10 Gbps • Latency capping In-line Sensor Failover All 3D sensors use a special failover NIC NIC failover circuitry enters bridge mode on the following conditions • Sensor loses power • Sensor suffers software failure • Sensor intentionally shut down Change is instant High Performance 3D-5800 Hybrid ASIC/PowerPC Chassis NPM (G5) architecture Backplane (2xASIC NPUs) ‘Stackable’ chassis Connector (2xPPC CPUs) enables scalable performance • 8/4 Ports (IDS/IPS) per chassis Line speeds of 3.5/4 Gbps (IPS/IDS) Unsurpassed Dual Power APM Hot-swap protection for VoIP Supplies (4xPPC CPUs) Mirrored HD technology Fault Tolerant design Breaking the 10G Barrier Sourcefire 3D9800 Sensor 12 dual core Power PC processors (24 cores) Up to 2 Network Interface Modules (NIMS): • 4 fiber ports at 10 Gbps • 12 copper ports at 1Gbps • 12 copper ports plus 2x 10 Gbps fibre (Q1/2008) • 16 ports at 1 Gbps copper Q1/2008 Tuning Sensors Sensor tuning is important for performance and alert validity • Statistical data from intrusion sensors can be easily used for tuning • RNA can auto-tune the intrusion sensor, reducing or eliminating tuning burden. Biggest impact on event reduction comes from correlation of passive discovery and intrusion event data Context is Everything How to discover -20°C, Reykjavik context? • Active Scanning • Passive Network Discovery +20°C, Reigate Why Passive Network Discovery? Your active scan of the oil refinery SCADA network corrupts control systems data and causes a life-threatening failure of the plant. Your active scan of the medical imager re-boots the liquid helium controller. Imager down for 2 days due to temperature instability Quality Scan occurs Your active Accuracy decay t - Coherence time scans never seem to reflect reality t for very long Time You Can Learn More By Listening… Machines reveal a great deal about themselves: • Operating system(s), vendor, version • Services, vendors, versions • Ports and protocols • MAC and IP address(s) • Vulnerabilities • User data • Behavioral information Passive discovery is the basis of Sourcefire Real-Time Network Awareness (RNATM) What does RNA Capture? Information on Hosts • Client/server/bridge Information on Services • ftp, telnet, ssh … Information on Flows • Who talked with whom • Which protocol, which ports RNA continuously computes an error margin and reflects this in a confidence figure. 12% From this data, network maps are constructed and vulnerability tables computed. 100% 24% 49% 77%59% 82% RNA Placement Strategy On 3D Sensors • Co-located with IPS • Separate from IPS High “Ground Level” - high Ground resolution (on broadcast domain) • Good for servers “High Ground” - high visibility (by DNS, mail servers) Ground • Good for workstations Level Most companies mix methods to optimise coverage Putting RNA and Intrusion Data to Work Finding The Events That Matter with The Sourcefire DC Defense Center Intrusion Events End-point Intelligence Vulnerability database provides powerful data reduction, Hosts & Services pivoting and Attacks CVE, Bugtraq, Sourcefire, correlation services (1000’s /hr) Data Arachnids, Nessus, Cisco reduction Web-based or Alerts optional 3D (10’s / hr) 3rd party event managers visualization clients Data Incident Network Intelligence Flows Anomalies Pivot management subsystem included Easy interface to Incident Report Processing Generation your existing security ecosystem The Power of the Pivot Selection Suspect candidates Intrusion Events Other possible victims Pivot Drill-down Suspect - victim Conversation Powerful Reporting Tailor reports on your most Report Profile critical assets Search Time Filter Window Automate compliance reporting • Schedule tailored reports to be Workflow Selection emailed to your compliance Summary selection managers Query Engine Multiple formats • PDF, HTML or Excel Report Formatter Stream reporting to 3rd party Output Spooler (disk, email) applications Responding to Network Events Can Operate At Two Levels At 3D Sensor: • Rule processor Sensor Rule operates on events 3D Sensor from network Policy programs sensor response At Defense Center: Sensor • Rule processor events operates on events Compliance Rule from sensors • Response processor triggers remediation Compliance Policy programs DC event response • Used for compliance rules Responding to Network Events Remediation Subsystem Network Condition (threat and/or endpoint) Remediation subsystem called when compliance rule conditions are triggered Compliance Remediation modules Rule typically interface to 3rd party control systems Response Pre-written modules: triggered • Perform Cisco IOS Null Remediation Route, PIX ACL subsystem • Add temporary Check Point Remediation instructions Router / firewall block rule IP, Port, Firewall • policy Initiate “surgical scan” NAC Real power is in writing your Remediation own Module • Simple scripting (Bash Configuration Management ,Perl) or C Host/Service Anomaly Detection One-Click Compliance Real-time Maps “what is” to “what Network Map should be” White listing, not black Compliance Builder listing Intended Network Map Comparator Alert Subsystem Compliance system Remediation Subsystem Network Anomaly Detection Trend Analysis / NBA Sophisticated statistical analysis on flow samples Network behaviour is learned over a training period. Any departure triggers an alert • Absolute value, derivative (velocity) standard deviation (sigma, ) Many quantities can be sampled N Flow Analysis … … and other enhancements Support for Netflow (v5) collection • Configure 3D Sensors to collect Netflow from one Defense or more Netflow sources Center • Combine with RNA native flow data. • Extends reach to those areas of the network not 3D Sensor monitored by RNA IPS/RNA Network map & topology Network Improvements Flow data compression Router(s) & Switch(es) Identity Mapping Sourcefire Real-time User Awareness (RUATM) People, not computers Intrusion End-point Identity commit crimes Events Intelligence database Maps user names to IP addresses within the LDAP, MS Active Sourcefire 3D System Compliance Directory With RUA: System + RUA • Easier to determine physical location of exploited hosts User-specific User • Easier to identify Rules Remediation employees hacking into internal systems • Easier to set up per- User-incident Report user compliance Processing Generation RUA Example Real-time Network User Lists System Management All sensors managed Intrusion Policies RNA Policies via policies: System Scheduler • Download and push rule updates Defense Center Scheduler • Apply policy changes during quiet periods • Download and apply software and rule updates • Generate reports • Perform backups System Policies Health Policies Access Security Event System Scheduling Rules Data Data Data Data 5 Levels of user privilege User-specific Event environment Filter • Local time zone Admin Access support • Per-user ‘skins’ Data Access Restricted Data Maint. Access Rules Access (workflow, address TZ=EDT Access TZ=GMT TZ=CET TZ=JST TZ=WST resolution, refresh interval, etc.) Administer System IP-based access security Perform Analysis Schedule Update Generate Reports Jobs Rules & Monitor Policies Health Integrating With Your Security Ecosystem Incident SIEM / Log Business Network Management Management Analytics Monitoring eStreamer SNP Traps Syslog SMTP Patch SSL Management Remediation API Touch Free Network Network Taps Infrastructure OPSEC LDAP User NAC Authentication Host NetFlow Input API Network Patch VA / Active CMDB / Infrastructure Management Scanning Asset Lists Scaling the Global Enterprise DC1000 MDC • RAID I • 25 sensors • 10 million events 1..10 DC’s DC3000 • RAID 5 Mirrored DC’s • 100 sensors • 100 million events DC High Availability Master Defense Center • Cascade events from 10 DC’s for 1..100 sensors global overview Other Features Master Defense Center Phase II • Subordinate policy management • Mirroring support for MDC and subordinate DC’s. Host Input API • Incorporate external asset information into RNA Miscellaneous Improvements • Internet Explorer 7 • Streamlined communications protocols • Right mouse actions • Improved network map • Impact rating of blocked events • Prohibit packet capture • Snooze health monitoring during maintenance ROA “Return On Analysis” Central management Open Rules Threat data Global view IPS Reliable, auditable decisions DC RNA Target data Build compliance Policy Discover problem systems in real-time Event Reduction Save time, reduce operational cost Target Analysis Real-time change discovery Automatic Response Report on Event Event Pivoting Mitigate future risk Proving compliance Decreasing incident response effort Demonstration: Sourcefire 3D System Sourcefire’s live system of IPS, RNA and Defense Center Summary Sourcefire Solutions provide practical answers to problems with current intrusion prevention End-point correlation saves time by reducing the number of alerts and reducing the time spent on dealing with them Sourcefire remediation enables you to enforce a wide range of security policies on your network Sourcefire solutions run on a wide range of hardware, offering the right solution to fit your size of business Questions & Answers
"Sourcefire 3D_ System for Enterprise Threat Management"