Discover, Determine & Defend

1
Discover, Determine Defend

• Anders Eriksson
• Nordic-Baltic Regional Manager
• phone 46 70 941 48 00
• email anders.eriksson_at_sourcefire.com

2
Agenda

• Introduction to Sourcefire
• Redefining Intrusion Prevention
• Sourcefire 3D Solution Overview
• Sample Applications
• QA

3
Introduction to Sourcefire

• Anders Eriksson
• Nordic-Baltic Regional Manager
• phone 46 70 941 48 00
• email anders.eriksson_at_sourcefire.com

4
About Sourcefire, Inc.
Hybrid Business Model

• Founded in 2001 by Martin Roesch, the creator of
  SNORT
• HQ in Columbia, Maryland, US
• EMEA HQ in UK
• Nordic/Baltic office in Stockholm
• Germany, Paris, The Netherlands
• 800 growth over past three years
• Staff 160
• Privately held and profitable
• Registration Statement filed for IPO

Enterprise ClassSolutions Support
Comprehensive intrusion prevention The
integration of Threat, Endpoint,and Network
Intelligence
5
Leveraging a Powerful Community
3
Worlds most widely deployed Intrusion Detection
Prevention Technology
6
Sourcefire Industry Recognition

• RSA Innovator Award February 2005
• The real competition was for second place
• NSS Gold Award April 2005
• Only the fifth time that a product earned this
  designation
• SC Magazine IPS Group Test July 2005
• Bested 11 vendors including ISS, McAfee,
  Tipping Point
• Sourcefire 3D System Best IPS out there on
  the market

7
Worldwide Total Network-Based IDS/IPSMarket
Share Growth
Source Infonetics Research, Inc, Network
Security Appliances and Software, August 29, 2006
8
Users of Sourcefire Solutions

• Banking
• Telecom
• Government Agencies
• Energy Utilities
• On-line Gaming Commerce

9
Redefining Intrusion Prevention

• Anders Eriksson
• Nordic-Baltic Regional Manager
• phone 46 70 941 48 00
• email anders.eriksson_at_sourcefire.com

10
Gartners view on Intrusion Prevention

• IDS is dead
• Said in 2003 by Gartner

A bad day at Sourcefire...
...turns out to be fantastic!
11
Next Generation Real-time Network Defense
Gartner Requirements
Sourcefire 3D Solution
Gartner Research Note Security Management
Strategies and Processes Strategic Planning,
SPA-21-3635
12
From Niche Player to Leader in 1½ year
13
What True Intrusion Prevention gives you

• Traditional Intrusion Prevention Systems
• Very expensive noise generator
• False positives a major issue
• Gartner say 99 out of 100 alerts mean nothing
• Confidence level low only small amountof
  threats can be safely blocked
• Can you afford to staff up on Analysts tomake
  systems usable?

• With Sourcefire 3D System
• Over 99 reduction of events
• Know what events are real and their criticality
• Know if critical assets have been compromised
• Automate time-consuming manual processes
• Analysts can focus on whats important
• System provides real-time network defense
• We call it True Intrusion Prevention

14
All the Time
All the Time
Technology
Threat, Endpoint, and Network Intelligence
Asset Mgmt. Vulnerability Mgmt. Policy
Compliance Configuration Mgmt.
Incident Response Event Management and
Forensics Policy Enforcement Network Behavior
Analysis
Intrusion Detection Intrusion Prevention Access
Control
Policy-Driven Automation
PRE-ATTACK
POST-ATTACK
ATTACK
Know what Assetsare on your Networkand their
Vulnerabilities
Identify Compromises, Contain or Remediate
Attack Recognition Interdiction
Applications
15
All Threats all Vectors
Unknown and engineered attacks Based on a 2005
study of more than 32 million vulnerability
assessment scans within its customer base, Qualys
Inc. found that on average, companies take about
48 days to patch 50 of the internal
systems that could be exposed to a critical
vulnerability. Most damage is done within
the first 15 days of an exploit
release.
Infrastructure Attacks According to the Secret
Service/CERT E-Crime Watch Survey, the mean loss
estimated by respondents was just over 500,000.
X
Insiders In an annual study by IDG and
PricewaterhouseCoopers, current employees
account for 33 of network security threats,
both intentional and unintentional.
Partners In a survey jointly done by ASIS
International and the U.S. Chamber of Commerce,
138 executives of Fortune 1000 companies reported
losses between 53 billion and 59 billion due to
insider attacks.
X
Unknown Connections The 2005 CSI/FBI Crime
Computer and Security Survey reports that 66 of
the security incidents that caused the greatest
organizational losses in 2004 were unauthorized
access and theft of proprietary information.
16
Sourcefire 3DSolution Overview
17
Sourcefire 3D the three Ds of true IPS
18
Sourcefire 3D Solution a Little Closer
Using SNORTs powerful, flexible and
completely open rules language Detection and
blocking of all known threats Protocol analysis
for unknown and zero- day threats
Passive discovery of all network assets
Adding business context to the assets Selective
target-based active scanning
Network flow information Discovery of
communications patterns between network
assets NBAD, discover changes in behavior
19
Sourcefire 3D Components Overview
20
Sourcefire Intrusion Sensors

• Snort-powered IDS / IPS offers the most
  comprehensive rule set to detect all attacks
• Rules are open you can see what triggered an
  event
• Viruses, trojan horses, worms, DoS, VOIP,
  malware, OS/applications exploits, and other
  threats
• Detects known threats via deep-packet inspection
• Detects unknown threats via
• Vulnerability trigger conditions
• Anomaly detection
• Sourcefire VRT (Vulnerability Research Team)
  expertskeeps up-to-date on new threats and
  vulnerabilities
• Traps and traces the traffic associated with any
  attack

21
Intrusion Sensors
Passive Mode
Monitor, alert, defend via Remediation Modules
In-line Mode
Alert, block or drop traffic
22
RNA Real-time Network Awareness

• Real-time continuous passive discovery and
  multi-vector profiling
• Network Asset awareness
• Operating system vendors, versions service
  packs
• Services vendors versions
• Ports protocols
• MAC IP addresses
• Vulnerabilities
• Behavioral awareness
• Traffic
• Peers
• Criticality awareness
• Qualitative
• Quantitative

Magic eye that watches everything happening on
your network. Network World
23
RNA vs. Active Scanning
24
RNA Real-time Network Awareness

• Without Sourcefire
• Expensive noise generator
• Many false positives and negatives
• 99 out of 100 alerts mean nothing, Gartner
• Confidence level low
• Few threats can be safely blocked
• No knowledge of endpoints and their
  vulnerabilities
• Dont know what asset being targeted by the
  attack
• No correlation cant prioritize events
• With Sourcefire
• IPS driving real-time defense
• Know that events are real
• Know the criticality of events
• Know if critical assets have been compromised
• Automate time-consuming manual processes
• Get correlated threat, endpoint, and network
  intelligence and have the most accurate threat
  data in front of you

25
RNA NBAD (Network Behavior Anomaly Detection)

• Know where your mission critical systems
  stand
• Continually visualize analyze packets, assets
  data flows
• Identify and track anomalies such as DDoS
  attacks, wormsand zero-day threats from any
  entry point
• Detect and shut down illegal mail servers, rogue
  desktop applications including desktop web
  servers
• Enforce corporate policies for P2P restrictions
  such as Kazaa and instant messaging

26
Sourcefire Defense Center

• Alerting
• Real-time notification via all mainstream methods
• Programmatic interfaces support unlimited
  integration
• Streaming API
• Bi-directional command control interfaces
• Blocking
• Wire-speed interception of network threats
• Isolation and containment leveraging existing
  network infrastructure
• Switches
• Routers
• Firewalls
• Correction
• Patch or Configuration Management
• System and Network Management
• Asset management

27
Sourcefire Defense Center
28
Sourcefire Defense Center

• Event correlation
• Correlates and prioritizes attack data against
  the true network layout and changes
• Command and control
• Centrally administers allyour IS RNA sensors
• 3D visualization
• Gives you clear picture of yournetworks and all
  REAL attacks
• Very low TCO
• Plug-n-Protect appliance
• Built-in, high performance database
• Integrated data management capability gives you
  the power to manage all of your events, scaling
  to enterprise deployments without having to
  license additional DB licenses

29
Sourcefire Defense Center

• Helps document compliance with
• Federal Information Security Management Act
  (FISMA)
• Gramm Leach Bliley (GLB) Act
• Health Insurance Portability Accountability Act
  (HIPAA)
• Sarbanes Oxley (SOX) Act
• Security Breach Information Act (SB 1386)
• Visa/MC Processing Card Industrys (PCI) Data
  Security Standard

In the PCI standard, it states we must use
network intrusion detection systems, host-based
intrusion detection systems, and/or intrusion
prevention systems to monitor all network traffic
and alert personnel to suspected compromises.
There are two kinds of IDS/IPSs on the market.
One, you plug in and dont ever want to hear from
again. Then theres the other kind that lets you
get useful information about your network.
Thats what we have with Sourcefire. Michael
Morgan Network Security Administrator BankersBank
Card Services
30
One-Click Compliance
31
Automating IT Compliance

• One-Click Policy Baseline Development
• Operational networks, sub-nets, and/or individual
  assets used to auto-generate policies
• Flexible Response Capabilities Automate
  Enforcement
• Network access control
• Vulnerability discovery remediation
• Compromise containment (incident response)
• Network policy enforcement
• Passive Discovery Methods Allow Persistent,
  Real-Time Monitoring Enforcement
• Virtually no impact onnetwork performance
• ConfigurableDashboard Reporting
• Emphasis on simplifiedadministration

32
True Intrusion Prevention The Better Way

• Sourcefire is the fastest growing company in the
  space due to its market-driven solution,
  innovation, and value.
• Gartner has moved Sourcefire to the front on the
  pack for ability to execute and completeness
  of vision in its latest Network Intrusion
  Prevention Appliance magic quadrant.
• The true intrusion prevention approach gives you
  the best of both worlds open source community
  power and commercial innovation.
• With this approach, you leverage the best
  industry technologies from Check Point Software
  Technologies and Sourcefire (including Snort).
• You save money and time
• 90 reduction in alerts
• Provides automation wherever possible (and
  requested)
• Uses Plug-n-Protect appliances
• Bottom lineits the most effective security to
  protect your
• Revenue
• Reputation
• Regulatory compliance

33
Global Alliances

• Nokia
• OEM of native Sourcefire 3D suite of software
  (IS, RNA and DC)
• Nokia IPS running on IP390 (250 or 400 Mbps) for
  IS and RNA
• Nokia will introduce more platform options in
  2007
• Sold supported by Nokia Channel Partners
• Nortel
• OEM of Sourcefire 3D suite of software
• Re-branded to Nortel TPS (Threat Protection
  System)
• IBM
• Closely aligned with IBM Global Services,
  Strategic Outsourcing
• Using IBM eserver x346 in some appliances
• X-beam
• Sourcefire 3D software running on Crossbeam X-
  series
• Meet-in-the-Channel-model

34
QA
35
In-depthAppliance Overview
36
Intrusion Sensors 45 Mbps to 1 Gbps
37
Intrusion Sensors 1.5 Mbps to 4 Gbps
38
RNA Appliances 45 to 500 Mbps
39
Defense Center Appliances 900 or 1300 IDS
events/sec, 10 or 100 million IDS events in DB,
1 or 10 million RNA or RNA Flow events
40
In-depthRemediation functions

• Joakim Johansson
• CISSP, SFCE
• Security Engineer - Nordic/Baltic

41
CheckPoint OPSEC SAM (Rule Response)
- Responses triggered by the Sourcefire Intrusion
Sensor - Can be used on a standalone
Intrusion Sensor
For how long will the OPSEC rule be active in the
firewall
Action to take
42
CheckPoint OPSEC SAM (Remediation Response)
Response is taken on the Sourcefire RNA and/or
the Sourcefire Defense Center based on policies
created by the administrator
Block_traffic_in_firewall
43
Sample Applications
44
The damage DoS attacks can make

• DoS (denial-of-service) attacks is a constantly
  growing problem for both ISPs and organizations
  world wide.
• The primary problem for an ISPs are the
  bandwidth DoS attacks consume. Annoyed customers
  how dont get the bandwidth they pay for. It
  could be more issues a DoS attack causes except
  refuse access to a service.
• For an organizations the primary issues often is
  more significant, though they are the targeted
  victim.
• Lost income
• Service level
• Trust and reputation

45
Actions you have to take

• To detect and stop DoS (denial-of-service)
  attacks you have to able to
• Baseline the networks in advanced
• Configure sinkholes for invalid routes
• Implement pattern/signature analysis tools
• Design and plan for remediation on implemented
  equipment

46
How Sourcefire 3D prevents DoS attacks

• With its sophisticated Intrusion Sensor and RNA
  Sensor Sourcefire can offer the markets best
  prevention methods for both intrusion and
  denial-of-services
• The Intrusion Sensor works in inline or passive
  mode and detects and blocks DoS attacks using
  advanced rules and signatures
• When adding RNA Sensors to the solutions you get
  an advanced analysis tool that tracks flows and
  statistical data

Sourcefire Passive Mode
Sourcefire Inline Mode
Monitoring Defend Via the ABCs
Block Traffic Drop Traffic Alert
47
DoS Attack Protection
ISP Network Check Point Cisco IOS Other
Link to ISP Customer
48
Unknown Exploit
1. Reconnaissance activity detected by
passive Intrusion Sensor, events associated
with the target assigned higher priority.
?
2. RNA detects change in the behavior and/or
composition of the compromised asset.
Patch Management (or other solution)
Sourcefire Intrusion Sensor (in-line)
3. Correlated events trigger remediation
policy - Isolate compromised server
- Block attacker at firewall - Direct
configuration mgmt. - Notify system
administrator
Sourcefire Intrusion RNA Sensors
?
4. In-line Intrusion Sensor policy updated
to prevent reoccurrence.
Sourcefire Defense Center