Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Sourcefire 3D_ System for Enterprise Threat Management

VIEWS: 5 PAGES: 43

									Sourcefire 3D™ System for
Enterprise Threat Management
Dominic Storey
Technical Director, Sourcefire EMEA
Who Is Sourcefire?

 Mission: To help customers manage increasing risks and regulations by
            providing the most effective, efficient security possible—driven by
            network intelligence.


   Founded in 2001 by Snort Creator,
                                                   Best of Both Worlds
   Martin Roesch             . .
        .                     .
     . . .....
. Headquarters: Columbia, MD .
                                                  Open Source Community
 . .       .                                                             .
      . .
   Employees: More than 240
  More than 1,500 enterprise and
  government customers                                        .
             .
  Over 25 of the Fortune 100 are
  customers. .
                                                              +
                                                        Corporate
                  .
  Global partner/distributor network                Support & Innovation
                                                                             .
  NASDAQ: FIRE
How Sourcefire is Different—Leveraging The
Snort Community



                                Global base of skilled
                                Global base of skilled
                                security professionals –
                                security professionals
                                giving customers great
                                –broad well-trained
                                access toaccess to well-
                                trained personnel
                                personnel.




                              Sourcefire VRT is augmented
                              by the resources of the
                              community—giving customers
                              the world’s largest threat
                              response team.
The Real Problem to be Solved


                      Who are my   Where are my
                       enemies?    weaknesses?


                               Skilled,
                            Empowered,
                             Intelligent
                                Staff

                      What are       What can I
                     they doing?    do about it?
            Reassessing Enterprise Threat Management

Security spending is dramatically growing
as a percentage of the overall IT budget…                                                                                                Intrusion     Vulnerability
                                                                                                                                        Prevention     Assessment

                                                                                                                                                  Threat
                                                                               17%
                                                                                                                                                 Endpoint
                                                                                                                                                 Network
                                                       13%
                                                                                                                                               Intelligence

             11%                  11%
                                                                                                                                         Network         Network
                                                                                                                                        Behavior         Access
              '03                 '04                  '05                     '06                                                    Analysis (NBA)   Control (NAC)
             Source: 2006 CIO/CSO/PWC State of Info Security Survey

                                                                                                                                      Systems must work more
  160,000                                                                                     $9,000
                                                                                                                                       intelligently to solve the
  140,000                                                                                     $8,000
                                                                                                                    Yet the threats              core problems
  120,000
                                                                                              $7,000
                                                                                                                    keep coming! A
  100,000
                                                                                              $6,000
                                                                                                                    new approach
                                                                                              $5,000
                                                                                                                    is needed.
                                                                                                       (millions)




   80,000
                                                                                              $4,000

   60,000
                                                                                              $3,000

   40,000
                                                                                              $2,000

   20,000                                                                                     $1,000


       0                                                                                      $0
            1995    1996   1997         1998    1999       2000       2001      2002   2003

                                  Incide nts   Se curity Software Re v e nue
    Today’s Threat Landscape

                                                                    Undetected Attacks
  External Attacks                                                Vulnerabilities and compromised
  Trojans, viruses, worms, phishing ..                            machines may lay dormant for
  Not protected by firewalls. Requires                            months, awaiting an attacker to
  IPS                                                             exploit them. Requires vulnerability
                                     Intrusion      Vulnerability awareness and end-point intelligence.
                                    Prevention      Assessment


                                             Network
                                           Intelligence
                                               User
                                           Intelligence


                                   Network            Network
                                  Behavior            Access
Porous Perimeter                Analysis (NBA)              Information Leakage
                                                    Control (NAC)
Every machine a peering point                                Point-point VPNs + desktop and
Laptops carry infection past                                 mobile internet connections
firewalls. Requires IDS                                      provide ample opportunity.
                                                             Requires compliance
                                                             monitoring and enforcement
    Introducing the Sourcefire 3D System

Monitors network                                                    Provides network
traffic                                                             and endpoint
Leverages Sourcefire                                                intelligence
                          Sourcefire IPS       Sourcefire RNATM
VRT Rules to identify                                               Provides passive
malicious traffic                                                   and active methods
In-line or passive                                                  of discovery
mode of operation
                                    Defense Center


                         Sourcefire RNATM         Sourcefire
                                                 Remediation


Baselines normal                                                    Automates security
behaviour of network                                                response
                         Sourcefire RUATM
devices and alerts on                                               Interfaces with your
exception                                                           security ecosystem
Maps identity of users
to networked             Centrally manages, enforces, and reports
computers                on security, policy, and compliance
                         Correlates and analyzes events
                         Provides sensor lifecycle management and
                         system health status
        Sourcefire 3D System Components

                  Discover                      Determine    Defend
       In-line   IPS
                                  SSL-encrypted
Sensing                           VPN (Port 8305)
                                                              Email, SNMP,
Network                                                       Syslog,SSL
                       Passive



       In-line   RNA                                DC
                                  Typically.
                                 1Kb / event                  Firewall, IPS,
                                                              Switchers,
                                                              Routers
                       Passive

                                                Management
       In-line   RUA                             Network
                                  Typically.                  Configuration and
                                 100b / event                 Compliance Mgmt.
                                                 G/bit
                       Passive                  copper
  G/bit copper
    or fiber
   3D Sensor Architecture

Interface   Intrusion Prevention Engines                         HTTPS:
   sets                                             Apache       Port 443
                     Pre-processors              & Web Mgmt.
                                                  Application
                   Snort Rules Engine                                SSL:
  In-line                                                       Port 8305
                                                   Output
              RNA Detection Engines                spooler

               Real-time Protocol Analyzer
                                                    MySQL
                                                   Database
                  Fingerprint processor
  Passive
                                                 Stand-alone
             RUA Detection Engines
                                                  Services
             User Identifier / protocol decode
                                                                    SSH:
                      UID Tracking
                                                 Command &        Port 22
                                                   Control
                                                  subsystem          SSL:
                                                                Port 8305
  If Sourcefire Made Cars…


                                                 Sourcefire: The Car
                                                       • Torque to motion
Snort®: The Engine                                     • Enterprise quality
   • 80+ OEMs
   • Enormous Community




                          Snort® Rules: The Fuel
                             • Open rule set
                             • Rules, not signatures
 Vulnerability Research Team (VRT)

10 million dollar
investment
 • 200 server regression
  test facility
Write rules not
signatures
Full-time team:
• Analyse vulnerabilities
• Reverse-engineer
  patches                   VRT Regression Facility, Columbia MD

Regular rules updates
IPS is tougher than you think!

 Detecting
 something is easy
 Detecting
 something
 meaningful is a lot
 more difficult
 Making IPS un-
 evadable is vital
        Why Intrusion Prevention is HARD!!
                        Fragment Offset
                                                                                Win32 B U F
                                                                                        F            F
                                                                                                   F E R O V R F   L O
    B U F 1
                                                                            FreeBSD B        F
                                                                                             U F     F
                                                                                                   F E R O V R F   L O
            E R 2
                O V R 3                                                         LaserJet     F
                                                                                           B U F     F   X V R
                                                                                                   F E R O X X F   L O
      F F F F 4                                                                 Linux        F
                                                                                           B U F     F   X V R
                                                                                                   F E R O X X F   L O
                X X X 5                                                          IOS         F
                                                                                           B U F     F   X V R
                                                                                                   F E R O X X F   L O
t                     F L O 6




                                                                                                    IIS    MS Windows


                                          Linux     F
                                                  B U F     F   X V R
                                                          F E R O X X F   L O


                                                      Intrusion Sensor                         SMTP          Linux




                                                                                                   RPC     SUN

                                                          Reassembly
               Attacker                                    Strategy?
                                                                                                   FTP     HPUX




    To do a good job of detection, detection,                                                Apache        Mainframe


    you MUST understand the target!!
The Service Problem

 Question:
 • How many different ways could you represent the
       letters ‘a’, ‘e’, ‘i’, ‘o’, ‘u’ in a URL?
 Answer:
 • > 83,060,640 !!!
 And that’s just using Microsoft web servers!




 Source:
 Eric Hacker : IDS Evasion with Unicode
 www.securityfocus.com
3D Sensor Capabilities
Intrusion Prevention

   Threat Protection
    • Vulnerability, not exploit-based
        detection rules
    •   ‘Instant on’ IPS rule set
   Open-Standard Rules Language
    • Modify any rule or create your own    Protection Against
    • Industry-standard - over 150,000             Worms
        active users                               Trojans
   Forensics                                     Port scans
                                           Buffer overflow attacks
    • View event data down to the packet          Spyware
      level                                 Protocol anomalies
    • View rules and data for auditable      Malformed traffic
      decision making                          Invalid headers
   Performance                               Zero-day attacks
    • 5 Mbps to 10 Gbps
    • Latency capping
  In-line Sensor Failover

All 3D sensors use a special
failover NIC
NIC failover circuitry enters bridge
mode on the following conditions
• Sensor loses power
• Sensor suffers software failure
• Sensor intentionally shut down
Change is instant
 High Performance 3D-5800

Hybrid ASIC/PowerPC
                         Chassis         NPM
(G5) architecture       Backplane    (2xASIC NPUs)

‘Stackable’ chassis     Connector    (2xPPC CPUs)

enables scalable
performance
• 8/4 Ports (IDS/IPS)
  per chassis
Line speeds of 3.5/4
Gbps (IPS/IDS)
Unsurpassed
                        Dual Power       APM          Hot-swap
protection for VoIP      Supplies    (4xPPC CPUs)    Mirrored HD
technology
Fault Tolerant design
Breaking the 10G Barrier
Sourcefire 3D9800 Sensor

  12 dual core Power PC processors (24 cores)
  Up to 2 Network Interface Modules (NIMS):
   • 4 fiber ports at 10 Gbps
   • 12 copper ports at 1Gbps
   • 12 copper ports plus 2x 10 Gbps fibre (Q1/2008)
   • 16 ports at 1 Gbps copper Q1/2008
  Tuning Sensors

Sensor tuning is important for
performance and alert validity
 • Statistical data from intrusion
  sensors can be easily used for
  tuning
• RNA can auto-tune the intrusion
  sensor, reducing or eliminating
  tuning burden.
Biggest impact on event
reduction comes from
correlation of passive
discovery and intrusion event
data
Context is Everything

 How to
 discover         -20°C, Reykjavik
 context?
  • Active
      Scanning
  •   Passive
      Network
      Discovery



                   +20°C, Reigate
Why Passive Network Discovery?

  Your active scan of the oil refinery SCADA
 network corrupts control systems data and
causes a life-threatening failure of the plant.


                 Your active scan of the
                 medical imager re-boots
                 the liquid helium
                 controller. Imager down
                 for 2 days due to
                 temperature instability
                              Quality


                                                 Scan occurs      Your active
                                                 Accuracy decay
                                             t - Coherence time
                                                                  scans never
                                                                  seem to
                                                                  reflect reality
                                         t
                                                                  for very long


                                                          Time
    You Can Learn More By Listening…

Machines reveal a great deal
about themselves:
•   Operating system(s), vendor, version
•   Services, vendors, versions
•   Ports and protocols
•   MAC and IP address(s)
•   Vulnerabilities
•   User data
•   Behavioral information
Passive discovery is the basis
of Sourcefire Real-Time
Network Awareness (RNATM)
What does RNA Capture?

Information on Hosts
 • Client/server/bridge
Information on Services
 • ftp, telnet, ssh …
Information on Flows
 • Who talked with whom
 • Which protocol, which ports
RNA continuously computes an
error margin and reflects this in a
confidence figure.
                                            12%
From this data, network maps are
constructed and vulnerability
tables computed.
                                        100%
                                      24%
                                      49%
                                      77%59% 82%
  RNA Placement Strategy

On 3D Sensors
 • Co-located with IPS
 • Separate from IPS
                                     High
“Ground Level” - high               Ground

resolution (on
broadcast domain)
 • Good for servers
“High Ground” - high
visibility (by DNS, mail
servers)                   Ground
 • Good for workstations   Level


Most companies mix
methods to optimise
coverage
Putting RNA and Intrusion Data to Work
Finding The Events That Matter with The Sourcefire DC

Defense Center                       Intrusion
                                      Events
                                                       End-point
                                                      Intelligence
                                                                               Vulnerability
                                                                                database
provides powerful
data reduction,                                             Hosts &
                                                            Services
pivoting and                 Attacks
                                                                                      CVE, Bugtraq,
                                                                                       Sourcefire,

correlation services       (1000’s /hr)
                                                        Data
                                                                                       Arachnids,
                                                                                      Nessus, Cisco
                                                      reduction
Web-based or
                                                                   Alerts
optional 3D                                                      (10’s / hr)        3rd party event
                                                                                      managers
visualization clients
                                                        Data
Incident                  Network
                        Intelligence
                                           Flows
                                          Anomalies     Pivot
management
subsystem included
Easy interface to                                      Incident                        Report
                                                      Processing                      Generation
your existing
security ecosystem
          The Power of the Pivot
                                 Selection                   Suspect candidates
Intrusion Events




 Other possible
 victims
                         Pivot               Drill-down

                                                          Suspect - victim
                                                          Conversation
  Powerful Reporting

Tailor reports on your most               Report Profile
critical assets                        Search           Time
                                        Filter         Window
Automate compliance reporting
 • Schedule tailored reports to be       Workflow Selection
   emailed to your compliance            Summary selection
   managers
                                            Query Engine
Multiple formats
 • PDF, HTML or Excel                     Report Formatter

Stream reporting to 3rd party        Output Spooler (disk, email)
applications
    Responding to Network Events
    Can Operate At Two Levels

At 3D Sensor:
• Rule processor
                                      Sensor Rule



    operates on events
                                                        3D Sensor
    from network                                      Policy programs
                                                      sensor response
At Defense Center:
                                   Sensor

• Rule processor                   events



    operates on events                Compliance Rule

    from sensors
•   Response processor
    triggers remediation                            Compliance Policy
                                                      programs DC
    event                                               response


•   Used for compliance
    rules
  Responding to Network Events
  Remediation Subsystem
                                      Network Condition
                                   (threat and/or endpoint)
Remediation subsystem
called when compliance rule
conditions are triggered
                                         Compliance
Remediation modules                        Rule
typically interface to 3rd party
control systems
                                      Response
Pre-written modules:                  triggered


 • Perform Cisco IOS Null               Remediation
     Route, PIX ACL                      subsystem

 •   Add temporary Check Point                                Remediation
                                                              instructions   Router /
     firewall block rule              IP, Port,                              Firewall
 •
                                       policy
     Initiate “surgical scan”
                                                                                NAC
Real power is in writing your           Remediation
own                                       Module

 • Simple scripting (Bash                                                     Configuration
                                                                              Management
     ,Perl) or C
   Host/Service Anomaly Detection
   One-Click Compliance

 Real-time
                             Maps “what is” to “what
Network Map                  should be”
                             White listing, not black
Compliance
  Builder                    listing

  Intended
Network Map




Comparator
                 Alert
               Subsystem

Compliance
  system

               Remediation
               Subsystem
  Network Anomaly Detection
  Trend Analysis / NBA

Sophisticated statistical
analysis on flow samples
Network behaviour is
learned over a training
period. Any departure
triggers an alert
 • Absolute value,
   derivative (velocity)
   standard deviation
   (sigma, )
Many quantities can be
sampled
                            N
Flow Analysis …
… and other enhancements
Support for Netflow (v5)
collection
 • Configure 3D Sensors to
   collect Netflow from one                   Defense
   or more Netflow sources                     Center
 • Combine with RNA
   native flow data.
 • Extends reach to those
   areas of the network not   3D Sensor
   monitored by RNA            IPS/RNA

Network map & topology                                  Network
Improvements
Flow data compression           Router(s) &
                                Switch(es)
Identity Mapping
Sourcefire Real-time User Awareness (RUATM)

  People, not computers       Intrusion     End-point      Identity
  commit crimes                Events      Intelligence   database


  Maps user names to IP
  addresses within the                                           LDAP,
                                                                MS Active
  Sourcefire 3D System                     Compliance
                                                                Directory


  With RUA:                               System + RUA

   • Easier to determine
     physical location of
     exploited hosts
                                          User-specific         User
   • Easier to identify                      Rules           Remediation
     employees hacking into
     internal systems
   • Easier to set up per-
                                          User-incident        Report
     user compliance                       Processing         Generation
RUA Example
Real-time Network User Lists
System Management


All sensors managed              Intrusion Policies     RNA Policies
via policies:
System Scheduler
 • Download and push rule
     updates                                 Defense Center
                                               Scheduler
 •   Apply policy changes
     during quiet periods
 •   Download and apply
     software and rule updates
 •   Generate reports
 •   Perform backups
                                 System Policies       Health Policies
 Access Security
                                    Event                 System      Scheduling      Rules
                                    Data                   Data          Data         Data
5 Levels of user
privilege
User-specific                               Event
environment                                 Filter


 • Local time zone                                        Admin
                                                          Access
     support
 •   Per-user ‘skins’
                            Data
                           Access
                                     Restricted
                                       Data
                                                                       Maint.
                                                                       Access
                                                                                      Rules
                                                                                     Access
     (workflow, address        TZ=EDT Access TZ=GMT          TZ=CET         TZ=JST         TZ=WST

     resolution, refresh
     interval, etc.)                                 Administer System

IP-based access
security                    Perform Analysis                          Schedule       Update
                            Generate Reports                            Jobs         Rules &
                                                                       Monitor
                                                                                     Policies
                                                                       Health
 Integrating With Your Security Ecosystem


     Incident        SIEM / Log       Business            Network
    Management       Management       Analytics          Monitoring

                         eStreamer   SNP Traps
                           Syslog      SMTP
  Patch
                                                                SSL
Management       Remediation
                 API                        Touch Free
   Network
                                                           Network Taps
Infrastructure
                 OPSEC                           LDAP
                                                               User
    NAC
                                                           Authentication
                                         Host
                         NetFlow     Input API


       Network         Patch         VA / Active          CMDB /
    Infrastructure   Management      Scanning            Asset Lists
Scaling the Global Enterprise

 DC1000
                                            MDC
  • RAID I
  • 25 sensors
  • 10 million events                     1..10 DC’s

 DC3000
  • RAID 5               Mirrored DC’s

  • 100 sensors
  • 100 million events
 DC High
 Availability
 Master Defense
 Center
  • Cascade events
    from 10 DC’s for
                                         1..100 sensors
    global overview
Other Features

 Master Defense Center Phase II
  • Subordinate policy management
  • Mirroring support for MDC and subordinate DC’s.
 Host Input API
  • Incorporate external asset information into RNA
 Miscellaneous Improvements
  • Internet Explorer 7
  • Streamlined communications protocols
  • Right mouse actions
  • Improved network map
  • Impact rating of blocked events
  • Prohibit packet capture
  • Snooze health monitoring during maintenance
         ROA “Return On Analysis”
                                              Central management
                                                                                             Open Rules
                           Threat data            Global view
                IPS                                                                      Reliable, auditable
                                                                                             decisions
                                                      DC


                RNA
                           Target data


 Build compliance Policy
Discover problem systems
       in real-time




                                               Event Reduction
                                               Save time, reduce
                                                operational cost




                                                                                          Target Analysis
                                                                                         Real-time change
                                                                                             discovery
  Automatic Response                       Report on Event           Event Pivoting
   Mitigate future risk                  Proving compliance        Decreasing incident
                                                                     response effort
Demonstration:
Sourcefire 3D System


              Sourcefire’s live system of IPS, RNA
              and Defense Center
 Summary

Sourcefire Solutions provide practical answers to
problems with current intrusion prevention
End-point correlation saves time by reducing the
number of alerts and reducing the time spent on
dealing with them
Sourcefire remediation enables you to enforce a
wide range of security policies on your network
Sourcefire solutions run on a wide range of
hardware, offering the right solution to fit your size
of business
Questions & Answers

								
To top