hawaii tech day- cisco advanced malware protection
TRANSCRIPT
Shang Hsiung & Robert BuiAdvanced Threat Solutions – AMP/Threat Grid - US Federal DoD & ICFebruary 2017
Technical Discussion
Cisco Advanced Malware Protection
The Reality: Organizations Are under Attack
Viruses1990-2000
Worms2000-2005
Spyware and Rootkits2005-Today
APTs CyberwareToday +
1990 1995 2000 2005 2010 2015 2020
Phishing, Low Sophistication Hacking Becomes
an IndustrySophisticated
Attacks, Complex Landscape
of large companies targeted by malicious traffic95%
of organizations interacted with websites hosting malware100%
§ Cybercrime is lucrative, barrier to entry is low§ Hackers are smarter and have the resources to compromise your organization§ Malware is more sophisticated§ Organizations face tens of thousands of new malware samples per hour
Source: 2014 Cisco Annual Security Report
Antivirus
Legacy IPS
Initial Disposition = Clean Actual Disposition = Bad Too Late!!
Analysis Stops
Ev
en
t H
ori
zo
nSleep Techniques
Unknown Protocols
Encryption
Polymorphism
Blind to scope
of compromise
Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No Visibility Into Threats Once They Get in
Not 100%
To Defend Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
Attack Continuum
Data Center EndpointsEmail and Web Network Mobile
Before During AfterBefore
Discover EnforceHarden
DuringDetect Block
Defend
AfterScope
ContainRemediate
Threat intelligence Point-in-Time
detection
Retrospective
security
Learn about threats faster
AMP Strengthens Defenses Using Cisco Threat Intelligence
Extensive and growing back-end research on the latest threats and security trendsKnowledge base
Analytics and behavioral indicators for your system written in plain English Insight
Talos - team of threat analysts/researches working to provide you with the latest threat intelligence 24/7Expertise
13 billionweb requests per day
100 TBof data received daily
1.5 million*incoming malwaresamples per day
35% worldwide email traffic
Threat Grid Unifies Analysis and Threat Intelligence to Deliver…
Automated Analysis Context Rich Analytics Seamless Integration
Threat Grid Feeds Malware Analysis and Threat Intelligence to the AMP Solution
Cisco® AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts
Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently.
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Analyst or system (API) submits suspicious sample to Threat Grid
Low Prevalence Files
An automated engine observes, deconstructs, and analyzes using multiple techniques
Actionable threat content and
intelligence is generated that can
be packaged and integrated in to
a variety of existing systems or
used independently.
AMP Threat Grid platform
correlates the sample
result with millions
of other samples and
billions of artifacts
101000 0110 00 0111000 111010011 101 1100001 110
101000 0110 00 0111000 111010011 101 1100001 110
1001 1101 1110011 0110011 101000 0110 00
Threat Score/Behavioral IndicatorsBig Data Correlation
Threat Feeds
Sample and Artifact Intelligence Database
Actionable Intelligence
§ Proprietary techniques for static and dynamic analysis
§ “Outside looking in” approach
§ 350 Behavioral Indicators
Unique to Cisco® AMP
In Addition to Threat Intelligence, AMP Delivers
Point-in-Time Protection
File Reputation, Sandboxing, and Behavioral Detection
Retrospective Security
Continuous Analysis
Cisco AMP Defends with Reputation Filtering and Behavioral Detection
Continuous ProtectionReputation Filtering Behavioral Detection
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
Indications of Compromise
Device Flow Correlation
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Cisco AMP Defends with Retrospective Security
TrajectoryBehavioralIndications
of Compromise
Elastic Search
Continuous Analysis
Attack Chain Weaving
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
If Something Gets in, Retrospective Security Helps You Find Answers to the Most PressingSecurity Questions
Where did it come from?Where has the malware been?What is it doing?How do we stop it?
The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an IntegratedThreat Defense
AMP Threat
Intelligence Cloud
Windows OS Android Mobile Virtua
l
MAC
OS
CentOS, Red
Hat Linux for
servers and
datacenters
AMP on Web and Email Security Appliances
AMP on Cisco® ASA Firewall with FirePOWER™ Services
AMP Private Cloud Virtual Appliance
AMP on FirePOWERNGIPS Appliance
(AMP for Networks)
AMP on Cloud Web Security and Hosted Email
CWS/
CTA
Threat GridMalware Analysis + Threat Intelligence
Engine
AMP on ISR with
FirePOWER Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from Cisco AnyConnect ®
AMP on Meraki® MX
AMPAdvanced Malware
Protection
AMP for Endpoints
AMP for Cloud Web Security and Hosted Email
Windows OS
Android Mobile
Virtual
CWS
AMP for Networks
AMP on Cisco® ASA Firewall with FirePOWER Services
AMP on Web and Email Security Appliances
MAC OS
AMP Private Cloud Virtual Appliance
AMP Threat Grid Malware Analysis + Threat
Intelligence EngineAppliance or Cloud
*AMP for Endpoints can be launched from AnyConnect
Linux for Serversand Data Centers
Cisco AMP Everywhere Protects Your Extended Network with Many Deployment Options
AMP for Networks(AMP on a Cisco FirePOWER NGIPS)
Umbrella Investigate: the most powerful way to uncover threats
Console
API
SIEM
Key points
Intelligence about domains, IPs, and malware across the internet
Live graph of DNS requests and other contextual data
Correlated against statistical models
Discover and predict malicious domains and IPs
Enrich security data with global intelligence
domains, IPs, ASNs, file hashes
DEMO