Cisco acquired Sourcefire in 2013 as part of a strategic move to enhance Cisco’s security portfolio. Sourcefire’s catalog covers IPS/IDS, Application Security and Control, Firewalling, Malware Detection and a slew of open source tools such as SNORT, ClamAV, and Razorback.
One key piece to the Sourcefire puzzle is the management of the various solutions. This is done through Defense Center or FireSIGHT, which is the centralized management tool used for visibility of security and network events across the entire network. This post will provide a overview of using Defense Center / FireSIGHT from a administrative viewpoint.
Sourcefire login screen
Defense Center is accessed using a standard browser as shown above. Once you log in, you will hit the main dashboard view. There are focused Summery dashboards for network, threat and intrusion events as well as options to create whatever variation of customize dashboard you desire making it easy for an administrator to identify the top things to focus on.
Defense Center Summary Dashboard
One very cool dashboard is the Context Explorer found under Analysis > Context Explorer. This provides interactive content modules summarizing what is on the network, what applications are being accessed, current threats, types of traffic and so on.
There are many variations of the data displayed as well as buttons that tune the focus of the data such as targeting Business Relevant Applications rather than to High Risk applications. Most diagrams can be clicked to dig deeper into the data. The next screenshot shows focusing on client applications that are a possible risk.
Administrations can add filters to focus in on desired data points. For example, the next image shows adding a filter to only view high or medium risk application data followed by the results once the filter is applied.
There are many methods you can use to control how traffic is handled using access policies found under Policies -> Access Control. Administrators can layer rules based on users, applications, ports, and URLs. Actions for rules can range from monitor only to completely blocking traffic including options for inspecting any matching traffic for threats. Here is a screenshot of various policies, which are groups of rules.
Once I click a policy, I can see the list of rules being enforced with details on how it impacts the network.
To create a rule to block Facebook games and chat, I can click Add Rule and enter the information as shown in the next screenshot. I can also assign a risk level such as in this case, its a Low alert.
Another powerful view in Defense Center is the ability quickly identify infected systems along with any associated parties. Defense Center has a Malware view showcasing all threats including the history of the infected file. This allows administrators to not only identify “patient zero” aka the entry point of the infection but also track any interaction with the file to contain the entire breach. The next screenshot shows a list of malware identified by Sourcefire.
Once you click into a identified threat, you can see the entire history of that file. This is known as retrospective security meaning having the ability to track all interaction points with the infected file. Each circle is a traveling point as shown below.
Here is an example where I clicked how the file first entered the network using the first circle. The data shows the infected file Gael.exe was downloaded by a user (IP blurred out) using Firefox on 6-11-2014 at 12:07:11. The circles show each step the file has taken since it entered the network helping administrators contain the threat. Sourcefire has a endpoint product that can be placed on hosts providing more visibility about what is installed on endpoints regarding risk of infection as well as remediation options.
To see the general history of a host, you click a host name or IP and see its risk, what it is, and what it has been doing on the network. So for example, I clicked one of the infected host IP addresses to see the info shown in the next screenshot. As you can see, there are indications of compromise triggering high level alarms via the red box.
That is just a general overview of the Sourcefire Defense Center management solution. Check out sourcefire.com for more information as well as information on webinars that go deeper into demoing the solution.