250 likes | 269 Vues
Sourcefire offers true intrusion prevention by integrating threat, endpoint, and network intelligence. With industry-recognized technology and powerful community support, Sourcefire provides effective and efficient network security solutions.
E N D
True Intrusion Prevention Cyrille Badeau Regional Sales Manager Southern Europe
Best of Both Worlds + Privately-Funded Support & Innovation About Sourcefire • Solid and Successful • 16 consecutive quarters of growth • 796% growth over past three years • 2005 Frost & Sullivan Network Security Company of the Year • NetEvents European Security Technology Leader 2006 Award We Offer True Intrusion Prevention:The Integration of Threat, Endpoint,and Network Intelligence
Industry Recognition • RSA Innovator Award - February 2005 • “The real competition was for second place” • NSS Gold Award - April 2005 • “Only the fifth time that a product earned this designation” • Infonetics Research - May 2005 • Leads all network-based IDS/IPS vendors in market share growth • Federal Computer Week - July 2005 • Five stars (out of five) for Features, Performance, Price
Industry Recognition • SC Magazine: IPS Group Test - July 2005 • “Sourcefire 3D System: Best IPS out thereon the market” • Bested 11 vendors including ISS, McAfee,and Tipping Point • Secure Enterprise - October 2005 • “Better data-mining tools and accurateprotocol discovery” • Information Security - November 2005 • “An excellent choice for customizing signatures and tuning blocking to policy”
Gartner Recognizes the Power of Sourcefire Q2 04 Q4 05
End-Point Intelligence “Providing endpoint and network intelligence to network security products significantly improves their capabilities and limits the obstacles to a successful deployment. Organizations deploying network security products should look for their integration with vulnerability assessment and network intelligence solutions.” Amrit Williams, Gartner Research Director
Technology Threat, Endpoint, and Network Intelligence Policy Enforcement Vulnerability Mgmt. Configuration Mgmt. Access Control Firewalls IDS IPS Incident Response Policy Enforcement Network Behaviour Analysis(NBA) Policy-Driven Automation PRE-ATTACK POST-ATTACK ATTACK Asset Management Policy Compliance Attack Recognition Interception Compromise Identification Containment/Remediation Applications Complexity of Network Security
Technology Threat, Endpoint, and Network Intelligence Sourcefire RNA Sourcefire DC Sourcefire IDS Sourcefire IPS Sourcefire DC Policy-Driven Automation PRE-ATTACK POST-ATTACK ATTACK Asset Management Policy Compliance Attack Recognition Interception Compromise Identification Containment/Remediation Applications Where Sourcefire Fits in
Sourcefire 3D System a Little Closer • Snort—de facto standard for intrusion detection and prevention—flexible and powerful rules language • Detection and blocking of all known threats • Protocol analysis for unknown and zero- day threats • Active Scanning • Business Context • Passive Discovery • Target-based Scanning • Network Behavior Anomaly Detection (NBAD) • Network Flows • New communications between hosts
Sourcefire Intrusion Sensors Email, SNMP, Syslog,Help Desk Sourcefire Defense Center Sourcefire RNA Sensors Firewall, IPS, Switchers, Routers Sourcefire Intrusion Agents Patch Management, Configuration Management Sourcefire 3D System at a Glance
Intrusion Sensor Performance • Snort® powered - the most precise intrusion technology • Flexible, comprehensive, and powerful rules language • Detection and blocking of all known threats • Protocol analysis for unknown and zero-day • Plug-n-Protect™ appliances or blade-ready software • IS500 to IS5800 – 5mbps to 8+ Gigabits • Flagship Offering - IS5800 • “Stackable” architecture enables scalable performance • Low latency • Fault tolerant design Sourcefire Passive Mode Sourcefire Inline Mode Monitoring Defend – Via the ABCs Block Traffic Drop Traffic Alert
RNA: Real-time Network Awareness “Magic eye that watches everything happening on your network.”Network World • Real-time, all-the-time passive discovery and multi-vector profiling • Compositional awareness • Operating system(s), vendor, version • Services, vendors, versions • Ports and protocols • MAC and IP address(s) • Vulnerabilities • Behavioral awareness • Traffic • Peers • Criticality awareness • Qualitative • Quantitative
With Sourcefire IPS driving real-time defense Know that events are real Know the criticality of events Know if critical assets have been compromised Automate time-consuming manual processes Get correlated threat, endpoint, and network intelligence and have the most accurate threat data in front of you RNA: Real-time Network Awareness • Without Sourcefire • IPS is noise generator • Plethora of false positives • Gartner—”99 out of 100 alerts mean nothing” • Confidence level low – only small amount of threats can be safely blocked. Lack of precision. • Most IPSs can’t correlate threat, endpoint, and network intelligence to determine the susceptibility of the asset being targeted by the attack
RNA: Real-time Network Awareness Know where your mission critical systems stand: • Continually visualize and analyze packets, assets, and data flow • Identify and track anomalies such as DDoS attacks, worms, and zero-day threats from any entry point • Detect and shut down illegal mail servers • Detect and shut down rogue desktop applications including desktop web servers • Enforce corporate policies for P2P restrictions such as Kazaa and instant messaging
Sourcefire Defense Center • Event correlation • Correlates and prioritizes attack data against the true network layout and changes • Command and control • Centrally administers your sensor grid • 3D visualization • Gives you clear picture of your networks and all REAL attacks • Very low TCO • Plug-n-Protect appliance—no additional moving parts • Built-in, high performance database— • Integrated data management capability gives you the power to manage all of your events, scaling to enterprise deployments without having to license additional DB licenses The “nerve center” of the Sourcefire 3D System— it triggers the ABCs of Defense
Sourcefire Defense Center • Helps document compliance with: • Federal Information Security Management Act (FISMA) • Gramm Leach Bliley (GLB) Act • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes Oxley (SOX) Act • Security Breach Information Act (SB 1386) • Visa/MC Processing Card Industry’s (PCI) Data Security Standard “In the PCI standard, it states we must use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises.There are two kinds of IDS/IPSs on the market. One, you plug in and don’t ever want to hear from again. Then there’s the other kind that lets you get useful information about your network. That’s what we have with Sourcefire.” Michael Morgan Network Security Administrator BankersBank Card Services
Sourcefire Defense Center • Alerting • Real-time notification via all mainstream methods • Programmatic interfaces support unlimited integration • Streaming API • Bi-directional command & control interfaces • Blocking • Wire-speed interception of network threats • Isolation and containment leveraging existing network infrastructure • Switches • Routers • Firewalls • Correction • Patch or Configuration Management • System and Network Management • Asset management
Unknown Exploit Bringing It All Together 1. Reconnaissance activity detected by passive Intrusion Sensor, events associated with the target assigned higher priority. 2. RNA detects change in the behavior and/or composition of the compromised asset. Patch Management (or other solution) Sourcefire Intrusion Sensor (in-line) 3. Correlated events trigger remediation policy: - Isolate compromised server - Block attacker at firewall - Direct configuration mgmt. - Notify system administrator Sourcefire Intrusion & RNA Sensors 4. In-line Intrusion Sensor policy updated to prevent reoccurrence. Sourcefire Defense Center
Technology Threat, Endpoint, and Network Intelligence Policy Enforcement Vulnerability Mgmt. Configuration Mgmt. Access Control Firewalls IDS IPS Incident Response Policy Enforcement Network Behaviour Analysis(NBA) Policy-Driven Automation PRE-ATTACK POST-ATTACK ATTACK Asset Management Policy Compliance Attack Recognition Interception Compromise Identification Containment/Remediation Applications Complexity of Network Security
IPS ? IDS ? … Best of both worlds Sourcefire : + IPS Inline + IDS (complete rules set) + RNA + No noise but efficiency IDS : + Complete Rules set - Too noisy • IPS Inline : • + No noise anymore !!! • Only « easy to catch » • Attacks rules/signatures 1998 2000 2005 5000 rules IDS (Snort) 8000 rules IPS/IDS 300 rules IPS
Vulnerability Research Team (VRT) • 10 million dollar investment • Write rules not signatures • Full-time team: • Analysing vulnerabilities • Reverse-engineer patches • Create new rules updates every 2 weeks • Emergency updates via email distribution lists Security • Engine Update object model (code + data)
True Intrusion Prevention—The Better Way • Sourcefire is the fastest growing company in the space due to its market-driven solution, innovation, and value. • Gartner has moved Sourcefire to the front on the pack for “ability to execute” and “completeness of vision” in its latest Network Intrusion Prevention Appliance magic quadrant. • The true intrusion prevention approach gives you the best of both worlds: open source community power and commercial innovation. • With this approach, you leverage the best industry technologies from Check Point Software Technologies and Sourcefire (including Snort). • You save money and time • 90% reduction in alerts • Provides automation wherever possible (and requested) • Uses Plug-n-Protect appliances • Bottom line—it’s the most effective security to protect your: • Revenue • Reputation • Regulatory compliance
Questions & Answers Information Security Magazine, The Influence List “Sourcefire, framing the future of IT security” www.sourcefire.com 800.917.4134