believe in more

ASA with FirePower

Solution Overview

Bucharest, 23 September 2014

Summary

Why Security Why Cisco

ASA with FirePOWER

AMP

Roadmap

Why Security Why Cisco?

BYOD

CORPORATE
OWNED
90%
90%

ofof organizations
fully
aware
organizations notnotfully
aware
of
the devices
accessing
their
theof devices
accessing
their network
network

REAL-TIME
SOCIAL MEDIA

EMAIL
14%

of organizations had malware

enter the corporate network
through social media/web
apps

CLOUD

APP
STORES

DATA
CENTER

ENTERPRISE
APPS

5-10
times more cloud services
being used than are known by
IT

92%
of top 500 Android apps carry
security/privacy risks

Impact of a Breach

Breach
occurs

START

of breaches
data in breaches is
remain undiscovered
stolen in
for

HOURS

Information of up to
individuals on the
black market over last
three

MONTHS
YEARS

Announcing September 16
Industrys First Threat-Focused NGFW
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services

Integrating defense layers helps organizations get the best visibility

Enable dynamic controls to automatically adapt
Protect against advanced threats across the entire attack continuum

#1 Cisco Security announcement of the year!

The Problem with Legacy NextGeneration Firewalls

Focus on the Apps

But miss the threat

111 0100 111001 1001 11 111 0

111 0100 1110101001 1101 111 0011 0

111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101
1110011 0110011 101000 0110 00
11 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1100001110001110
1001 1101 1110011 0110011 101000 0110 00
0111100 011 1010011101 1

Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls

Cisco ASA with FirePOWER Services

Features

Cisco ASA firewalling combined with Sourcefire nextgeneration IPS

Integrated threat defense over the entire attack continuum

Best-in-class security intelligence, application visibility and control

(AVC), and URL filtering

Benefits

Superior, multilayered threat protection

Unprecedented network visibility
Advanced malware protection
Reduced cost and complexity

Superior Integrated & Multilayered

Protection

Worlds most widely deployed,

Cisco Collective Security Intelligence Enabled

Clustering &
High Availability

Network
Firewall
Routing |
Switching

Intrusion
Prevention
(Subscription)

Advanced
Malware
Protection
FireSIGHT
Analytics &
Automation

Application
Visibility &
Control

(Subscription)

URL Filtering
(Subscription)

Granular Cisco Application

Visibility and Control (AVC)

Industry-leading FirePOWER

Built-in
Network
Profiling

Cisco ASA

WWW

enterprise-class ASA stateful

firewall

Identity-Policy
Control & VPN

next-generation IPS (NGIPS)

Reputation- and category-based

URL filtering
Advanced malware protection

FirePOWER Delivers Best Threat

Effectiveness

Security Value Map for

Intrusion Prevention System (IPS)

Security Value Map for

Breach Detection

Unprecedented Network Visibility

FirePOWER Services
Threats
Users
Web Applications
Application Protocols
File Transfers
Malware
Command & Control Servers
Client Applications
Network Servers
Operating Systems
Routers & Switches

Mobile Devices
Printers

VoIP Phones
Virtual Machines

Typical IPS

Typical NGFW

Reduced Cost and Complexity

Multilayered

protection in a single
device

Annual Costs of IPS Maintenance

Ciscos FirePOWER Next-Generation IPS collectively

saves this customer $230,100 per year.

$144.000

Highly scalable
Automates security

$72.000

tasks
- Impact assessment
- Policy tuning
- User identification
Integrates with third-

party securitysolutions

$59.400

$24.300

$18.000

$3.000

Impact Assessment of
IPS Events

IPS Tuning
Typical IPS

Linking IPS Events to

Users

Next-Generation IPS

AMP Provides Continuous

Retrospective Security

Breadth of
Control Points

WWW

Email

Endpoints

Web

Network

IPS

Devices

Telemetry
Stream
Continuous Feed
File Fingerprint and Metadata
File and Network I/O
Process Information

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Continuous Analysis

Integrated Threat Defense at

Work
Threat intelligence led to identifying and stopping the extensive
String of Pearls malware campaign

Key Techniques:

Cisco detects, analyzes and

protects against known and
emerging threats

Leveraged data sources across Email, Web, and

Advanced Malware Protection products

Used Big Data analytics to link disparate events
and malware activity
Endpoint behavior
Malware deconstruction

Result:
Multiple Indications of Compromise (IoCs) identified
the malware infection

ASA with FirePOWER Services

vs. Typical NGFW
Feature

Cisco ASA with

FirePOWER Services

Typical NGFW

NSS NGFW Security Value Map, Gartner IPS MQ

Superior

Partial or Not
Available

Reputation-Based Proactive Protection

Superior

Not Available

Intelligent Security Automation

Superior

Not Available

File Reputation, File Trajectory, Retrospective

Analysis

Superior

Not Available

Application Visibility and Control

Superior

Available

Acceptable Use/URL Filtering

Superior

Available

Remote Access VPN

Superior

Not Enterprise-Grade

Stateful Firewall, HA, Clustering

Superior

*Available

*HA Capabilities vary from NGFW vendorOnly Check Point and McAfee Support Clustering

Threat-focused Value Positioning

Framework
ASA CX

Cisco ASA with

FirePOWER Services

First-gen NGFW for medium sized

business Internet Edge
Deployments

Sophisticated NG anti-threat &

advanced malware protection trusted
by security ops worldwide

Sophisticated NG antithreat & advanced malware

protection
trusted by security ops
worldwide

Up to 4 Gbps (5585-X SSP60)

Threat-inspected

Up to 6 Gbps on (5585-X SSP60)

Threat-inspected

Up to 60 Gbps FP8390,
stackable to 120Gbps
Threat-inspected

Position for:
- On Box SSL
- On Box Manager

Position for:
- Edge and Enterprise Networks
- Clustered DC

Position for:
- Data Center (DC-CVD)
- Very High Throughput
- IPS-only Refresh

FirePOWER Appliances

Why Upgrade?

High Performance

ASA 5555-X
4 Gbps FW Throughput

ASA 5545-X
3 Gbps FW Throughput
ASA 5525-X
2 Gbps FW Throughput

Up to 4X faster than legacy ASA

Increased throughput, CPS, sessions

Accelerated, integrated services

Integrated security acceleration hardware

No extra hardware required (security

services enabled with software licenses)

Next-generation security

ASA 5515-X
1.2 Gbps FW Throughput

Application control (AVC)

Next-Generation IPS

ASA 5512-X
1 Gbps FW Throughput

Security intelligence and URL Filtering

Advanced Malware Protection

Upgrading from ASA with Classic IPS

to FirePOWER Services for ASA
When upgrading from classic IPS to FirePOWER Services, adding new features can
require a platform change. Generally each new major feature is a step up, assuming the
box is near capacity.
Model

5512-X

5515-X

5525-X

5545-X

5555-X

5585-10

5585-20

5585-40

5585-60

Classic IPS
Module

150

250

400

600

850

1150

1500

3000

5000

FirePOWER
AVC or IPS

100

150

375

575

725

1200

2000

3500

6000

FirePOWER
IPS + AVC

75

100

255

360

450

800

1200

2100

3500

FirePOWER
IPS + AVC +
AMP

60

85

205

310

340

550

850

1500

2300

This is a general approximation!

Order Structure
or

1. New Appliance
ASA 5585-X with ASA 5500-X with
FirePOWER
FirePOWER
Services
Services

FirePOWER
Services
Blade

Upgrade

SSD +
FirePOWER
Services Upgrade
License

One of the Five IPS, URL Filtering, Advanced Malware Subscription packages

1 and 3 year term options

Cisco FireSIGHT Manager Virtual or FireSIGHT Appliance (required) Must run ASA
9.2.2.4+,
Cisco Security Manager (CSM) (optional)
FirePOWER
SMARTnet / SASU
3. Management Systems Services 5.3.1+

2. Security Subscriptions

Five Subscription Packages to

Choose From for Each Appliance
URL

1 and 3 year terms

AVC is part of the
default offering
AVC updates are
included in
SMARTnet

URL

AMP

AMP

URL

IPS

IPS

IPS

IPS

URL

TA

TAC

TAM

TAMC

Cisco ASA with FirePOWER Services

A New, Adaptive, Threat-Focused NGFW

Superior Visibility
Full contextual
awareness to
eliminate gaps
Integrated
Threat Defense
Best-in-class, multilayered
protection in a
single device
Automation
Simplified operations
and dynamic response
and remediation

Why AMP?
Attackers are determined and resourceful

Malware still getting on devices, detection not 100%

Point-in-time detection is not sufficient
Integrated response required to be effective
Advanced Malware Protection must be pervasive

AMP solves business problems

Where do I start?
What is the scope and how bad is the situation?
What was the point and method of entry?
Can I control and remediate across gateways,
networks, and endpoints?

Comprehensive Security
Solutions

BEFORE
Control
Enforce
Harden

DURING
Detect
Block
Defend

AFTER
Scope
Contain
Remediate

File Retrospection
File Trajectory

Network

Contextual Awareness
Control Automation

In-line Threat Detection

and Prevention
File Retrospection
File Trajectory
Device Trajectory
File Analysis

Endpoint
File Execution Blocking

Indications of
Compromise
Outbreak Control

Key Features of AMP on Content

Security
Blocks files known to be malicious

File Reputation

Reputation verdicts delivered by AMP cloud

intelligence network

Behavioral analysis of unknown files

File Sandboxing

Looks for suspicious behavior

Feeds intelligence back to AMP cloud

File Retrospection

Continuous analysis of files that have traversed

the gateway
Retrospective alerting after an attack when file
is determined to be malicious

Protection Across the Attack

Continuum
Attack Continuum

BEFORE

DURING

AFTER

Control
Enforce
Harden

Detect
Block
Defend

Scope
Contain
Remediate

Filtering

Malware Signature

File Retrospection

Usage Controls

File Reputation

Threat Analytics

Reputation

File Behavior

AMP Feature Comparison

Secure Gateway

Network Appliance

Endpoint

File Analysis

File Trajectory

BEFORE

Block

DURING

Detect

File Reputation

File Sandboxing

Monitor
File Retrospection
IoCs

Investigate

AFTER

Device Trajectory

Threat Hunting

Control
Outbreak Control

Reputation Filtering and

Behavioral Detection

Spero Engine: Big Data and

Machine Learning

Spero is one of the detection engines in the AMP Cloud

Provides zero-day detection
Creates a feature print of a file

Structural information
Referred DLLs
PE header
Send this feature print to the AMP Cloud

Matches machine learned data trees and returns disposition

Spero is available in AMP for Network and Windows Endpoint Connectors

AMP Cloud Features

Admin Portal Deployment and Management

Network and Endpoint Protection

Tracking and Outbreak Control

Device Trajectory
File Trajectory
Threat Root Cause

Offloads Heavy Analysis from the Connector

Collective Security Intelligence

AMP Cloud

AMP for Endpoints

Managed and Deployed from the Cloud

File Activity (Created/Edit/Move/Execute)
One-to-One/Spero/Ethos
Simple and Advanced Custom Detections
Retrospective Alerting

and Quarantine
Application Control

Network Flow Correlation

Black/White Lists
Dynamic Analysis

Private Cloud

AMP Cloud

AMP for Endpoints Capabilities

Capabilities

Windows

Mac

Android

Hash Lookups

SHA256

SHA256

SHA1

Ethos

Spero

Simple Custom Detections

Advanced Custom Detections

Retrospective Alerting

File Quarantine

Device Flow Correlation

Application Control

Supported Clouds

Public, Private

Public

Public

AMP for Networks

FireSIGHT Management Console
Configuration (policy) (Defense Center)
File Trajectory AMP Events
Correlation -

Managed by
FireSIGHT Management Center

File Detection
One-to-One SHA256

Spero

FirePOWER Appliance

File Submitted for

Dynamic Analysis
(by policy)

VRT Dynamic Analysis

Cloud

- Carves Files from Network

Flows
- Stores Locally
- Calculates Hash for Lookup
(by policy)
File Disposition queried
against AMP Cloud
(SHA256, Spero)
Manual Dynamic Analysis
for Endpoint Connectors

File Trajectory

Retrospective Alerting

Dynamic Analysis
Policy based automatic file submission

Public Cloud Only

Private cloud available in 5.4

AMP Cloud

AMP for Networks Integrated with

AMP for Endpoints
FireSIGHT Management Console
(Defense Center)
Configuration (policy) File Trajectory AMP Events
Correlation -

Link to AMP Public Cloud

for Endpoint Connector
Events

FirePOWER Appliance

File Submitted for

Dynamic Analysis
(by policy)

VRT Dynamic Analysis

Cloud

- Carves Files from Network

Flows
- Stores Locally
- Calculates Hash for Lookup
File Disposition queried
(by policy)
against AMP Cloud
(SHA256, Spero)

Manual Dynamic Analysis

for Endpoint Connectors

Endpoint
Connectors

AMP Cloud

FireAMP Private Cloud Design

Admin portal for rapid

deployment and management
Anonymized file disposition lookups

Retrospective Analysis
Device Trajectory
File Trajectory
Root Cause
Tracking and Outbreak Control

Public Cloud Communication

and Retrospection
AMP
Cloud

Connectors
File Query, Enterprise
(Connector ID, SHA, Spero, Ethos)

Response Disposition
PING2 Query

SHA Conviction

Retrospective
Queue

Changed Disposition

Private Cloud Communication

and Retrospection
Connectors
File Query, Enterprise First / Unique
(Connector ID, SHA, Spero, Ethos)

On-premise
Appliance

Spero, Ethos
(Locally evaluated)
Response Disposition

AMP
Cloud

Upstream File Query

(Device ID, SHA)
Response Disposition

File Query, Previously Seen in Ent.

(Connector ID, SHA, Spero, Ethos)

Retrospective
Queue

PING2 Query
Changed Disposition

Changed Disposition

SHA Conviction

PING2 Query

Retrospective
Queue

Spero, Ethos
(Locally evaluated)
Response Disposition

AMP Everywhere

Events /
Correlation

FireSIGHT
CWS

Cloud Connected

On-Premises

ASA

WSA

FireAMP

FirePOWER

ESA

Dynamic Analysis

Endpoint

Network

Gateway

Sandbox

FireAMP Private Cloud

Dynamic Analysis

FirePOWER Services on the

ASA
FireSIGHT Management
Console
Configuration (policy) File Trajectory - (Defense Center)
AMP Events
Correlation -

Cisco
Security
Manager

File Submitted for

Dynamic Analysis

VRT Dynamic Analysis

Cloud

Link to AMP Public

Cloud for Endpoint
Connector Events

ASA Cluster with

Sourcefire Virtual Sensor

Endpoint
Connectors

File Disposition queried

against AMP Cloud
(SHA256, Spero)

Manual Dynamic Analysis

for Endpoint Connectors

AMP Cloud

Advanced Malware Protection

Roadmap Summary

On-Premise
Delivery Model
(above plus these)

Cloud and Connector

Delivery Model

Q114

Q214

FireAMP 4.5
FireAMP 4.5.2
/Connector 3.1.9
Cloud IOC Support
Remote File Extraction
Elastic Search
Low Prevalence Report Mac OSX Connector 1.x
Mac OSX Connector 1.0 Parity Completion
Mac OSX Support

Q314

FireAMP 5.0 /Connector FireAMP 5.1

4.0
Role-based Access Control
(RBAC)
Support Portal
Risk Reports

Endpoint OpenIOC
License Enforcements

Bitters v5.3
0-day malware detection (cloud based
sandbox)

Legend:
Endpoint Component
Network Component
Content Component
Common Use
FireAMP Private
Cloud 1.0

File capture and storage

Custom file detection\blocking

Host and network malware event

correlation

FireAMP
Linux Connector 1.0
Linux Support

Dynamic Analysis

Q215
FireAMP 5.2
Enhanced RBAC
MD5
POS Connector 1.0
Support for POS

ThreatGRID Cloud Integration

Private Cloud Support

Drambuie v6
File preclassification
engine

EU Cloud support

File archive(.zip) support

UTF8 filename display

Chivas v5.4
Integrated SSL Decryption,

DNS and URL

blacklist

Elektra
AMP (Sourcefire) on
ASA

AMP 8150, 7150

New FirePOWER
models with increased
memory and CPU
cores (for file functions)
AMP on Web/Mail/Cloud
(ESA/WSA/CWS)

AMP on Web/Mail/Cloud
(ESA/WSA/CWS)

File Disposition Look-ups

0-day malware detectionFireAMP

(cloud based sandbox)

Virtual Appliance
Proxied Cloud w/ Local Mgmt and Reporting

Q115

Q414

2.0

Private Cloud Support

Custom file detection\blocking

Private Cloud

Air-gapped
License Enforcements

Dynamic Analysis

Local Dynamic Analysis

(Sandboxing)
ThreatGRID On-prem Integration

CONTACT

For more info regarding our Security Solution please use the contact
details below:
Adresa
Splaiul Independentei nr.179,
Corp B, Sector 5,
Bucuresti, 050099
Phone: +40 21 3178787
Fax: +40 21 3179797
Email: office@datanets.ro
Member of Soitron group of
companies.

Q&A
Thank you for your attention.