Cisco Threat Grid Integrations with Web, and Endpoint Security

Transcription

1

2 Cisco Threat Grid Integrations with Web, and Endpoint Security Moritz Wenz, Manager Systems Engineering, Advanced Threat Solutions Rene Straube, Consulting Systems Engineer, Advanced Threat Solutions

3 Agenda Introduction to Cisco Threat Grid Understanding the Cisco AMP Architecture and Threat Grid Cisco AMP and Threat Grid for Content Security Security Solution Web Security Solution Recent Enhancements for AMP Integrations Cisco AMP and Threat Grid for Endpoint Security Enhancing Incident Research and Response Capabilities Conclusions

4 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Key Objectives What are we going to cover in this session Provide a clear differentiation for AMP Solution and Threat Grid Products Provide a detailed understanding how Security Products integrate with AMP and Threat Grid Describe and position different deployment options for Threat Grid Products 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Key Objectives What are we going to cover in this session Provide a clear differentiation for AMP Solution and Threat Grid Products Provide a detailed understanding how Security Products integrate with AMP and Threat Grid Describe and position different deployment options for Threat Grid Products What s not covered in this session Detailed Information about the entire AMP Solution, please see recording of BRKSEC-3446 Endpoint Security, Your Last Line of Defense ( , 16:45) TECSEC-3527 AMP for Endpoints: Advanced Diagnostics and API overview LTRSEC-2200 You Got Hacked! Here is What To Do (AMP For Endpoints, Threat Grid, CTA...) TECSEC-2169 A Deep Dive on how Cisco's Advanced Threat Security Portfolio Integrate LALSEC-2600 Current Malware Techniques & How to Combat them with Cisco ATS Detailed Information about Cisco ESA, please see the following sessions: LTRSEC Security Hands-On Lab ( , 09:00) TECSEC Security: Best Practices and Fine Tuning Detailed Information about Cisco WSA, please see the following sessions: BRKSEC-2303 Cisco Web Security Appliance - Best Practices ( , 16:30) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Key Objectives What are we going to cover in this session Provide a clear differentiation for AMP Solution and Threat Grid Products Provide a detailed understanding how Security Products integrate with AMP and Threat Grid Describe and position different deployment options for Threat Grid Products What s not covered in this session For Your Reference Detailed Information about the entire AMP Solution, please see recording of BRKSEC-3446 Endpoint Security, Your Last Line of Defense ( , 16:45) TECSEC-3527 AMP for Endpoints: Advanced Diagnostics and API overview LTRSEC-2200 You Got Hacked! Here is What To Do (AMP For Endpoints, Threat Grid, CTA...) TECSEC-2169 A Deep Dive on how Cisco's Advanced Threat Security Portfolio Integrate LALSEC-2600 Current Malware Techniques & How to Combat them with Cisco ATS Detailed Information about Cisco ESA, please see the following sessions: LTRSEC Security Hands-On Lab ( , 09:00) TECSEC Security: Best Practices and Fine Tuning Detailed Information about Cisco WSA, please see the following sessions: BRKSEC-2303 Cisco Web Security Appliance - Best Practices ( , 16:30) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Core Message Sandboxing is not the Silver Bullet technology. Dynamic File Analysis is just one piece of the puzzle and has to integrate seamlessly with all other Security Solutions in a deployment Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Introduction to Cisco Threat Grid

10 What is AMP Threat Grid? Unified malware analysis platform Advanced static and dynamic analysis Behavioral indicators Scalability & Global Correlation Threat Intelligence Threat Grid is the unified malware analysis and threat intelligence platform. It performs automated static and dynamic analysis, producing human readable behaviour indicators for each file submitted. Threat Grid s global scalability drives context rich information, that can be consumed directly or via content rich threat intelligence feeds Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Introducing AMP Threat Grid Threat Grid is Cisco s unified malware analysis and threat intelligence platform. Threat Grid 1. Flexible model: cloud SaaS or on-premise appliance 2. Submission through Web portal or API 3. REST API automates sample analysis, enrichment and reporting 4. Integrate with Cisco and third party solutions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Introducing AMP Threat Grid Threat Grid is the unified malware analysis and threat intelligence platform. It performs automated static and dynamic analysis... AMP Threat Grid Actionable AMP Threat threat Grid content platform and intelligence 00 correlates is generated the sample that can be packaged result with and integrated millions in to a variety of other of existing samples systems and or used billions independently. of artifacts An automated engine observes, deconstructs, and analyzes using multiple techniques 1. Outside looking in approach / No presence in the virtual machine 2. Observe all changes to local host and network communications 3. Wide range of supported file types 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Introducing AMP Threat Grid Threat Grid is the unified malware analysis and threat intelligence platform. It performs automated static and dynamic analysis, producing human readable behaviour indicators for each file submitted behavioral indicators that let you prioritize threats with confidence 2. Malware families, malicious behaviors, and more (not just signatures) 3. Detailed description and actionable information 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Introducing AMP Threat Grid Threat Grid is the unified malware analysis and threat intelligence platform. It performs automated static and dynamic analysis, producing human readable behaviour indicators for each file submitted. Threat Grid s global scalability drives context rich information... AMP Threat Grid 1. Samples correlated with billions of malware artifacts 2. Global / historical context on threat landscape 3. Wikipedia of Malware - effect Sample and Artifact Intelligence Database 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Introducing AMP Threat Grid Threat Grid is the unified malware analysis and threat intelligence platform. It performs automated static and dynamic analysis, producing human readable behaviour indicators for each file submitted. Threat Grid s global scalability drives context rich information, that can be consumed directly by analysts and researchers or via content rich threat intelligence feeds. 1. Create custom feeds with context/metadata 2. Download curated batch feeds (also see Appendix A) 3. Various formats (JSON, CyBOX, STIX, CSV, or Snort rules) API or Web extraction of curated Threat Feeds Sample and Artifact Intelligence Database 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 AMP and Threat Grid Integration How does it all work together? Talos File Dispositions, IoC s, SPERO Threat Intel Threat Intel Behavioural Indicators File Dispositions AMP Cloud or Private Cloud (File Reputation) Threat Grid Cloud or on-prem (File Analysis) AMP Threat Intelligence Cloud 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 The AMP Everywhere Architecture Simplified AMP Threat Intelligence Cloud AMP Cloud or Private Cloud (File Reputation) Threat Grid Cloud or on-prem (Sandboxing) Endpoints Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for servers and datacenters AMP for Endpoints can be launched from AnyConnect 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Understanding the Cisco AMP Architecture and Threat Grid

19 Cisco Advanced Malware Protection Recap What are we actually providing with the solution? Service File Reputation File Analysis File Retrospection Function Blocking of known malicious files Behavior analysis of unknown files Retrospective alerting upon disposition change Powered by AMP Cloud Threat Grid Cloud AMP Cloud or 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 AMP and Threat Grid Integrations Service File Reputation File Analysis File Retrospection Firepower ESA/CES WSA Meraki MX Umbrella intel. proxy N/A N/A AMP4E 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 AMP in a Nutshell for Integrations Malicious File Hash is automatically marked in AMP Database Information stored in AMP: Hashes Device GUID AMP File Reputation Database Threat Grid Sandbox SHA256 Information stored in TG: Files and Device GUID Analysis Results and Reports Disposition (unknown, malicious, clean) Disposition (unknown, malicious) File Reputation Check (includes SHA256, SPERO) Analysis Request (includes the file) File Analysis File Reputation AMP Connector (ESA, WSA, Firepower) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 AMP Deployments Fully Public Cloud Malicious Files automatically marked in AMP Public Database Information stored in AMP: Hashes Device GUID AMP Public Cloud Threat Grid Public Cloud SHA256 Information stored in TG: Files and Device GUID Analysis Results and Reports Organization s Perimeter File Analysis File Reputation AMP Connector (ESA, WSA, Firepower) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 AMP Deployments Hybrid for Integrations Information stored in AMP: Hashes Device GUID AMP Public Cloud Malicious Files are NOT automatically marked in AMP Public Cloud SHA256 Organization s Perimeter Information stored on TGA: Files and Device GUID Analysis Results and Reports File Analysis File Reputation AMP Connector (ESA, WSA, Firepower) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 AMP Deployments with Threat Grid Appliance TGA Operation TGA will NEVER send any information back to any cloud!! Customer invests in TGA for a reason PRIVACY On-premise TGA s will NEVER be trusted sources for Disposition updates Current TGA versions only connect to the Internet for the following operations: Software Updates Internet Access for Samples running inside the VM s via Dirty Interface 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 AMP Deployments Hybrid for Integrations Threat Grid Public Cloud SHA256 Organization s Perimeter File Analysis File Reputation AMP Connector (ESA, WSA, Firepower) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 AMP Deployments Fully Private Cloud for Integrations Information stored in AMP: AMP-PC GUID AMP Public Cloud Organization s Perimeter Information stored on AMP-PC: Hashes Device GUID Malicious Files automatically marked in AMP Private Cloud Information stored on TGA: Files and Device GUID Analysis Results and Reports File Analysis File Reputation AMP Connector (ESA, WSA, Firepower) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 AMP in a Nutshell for Endpoint Disposition Malicious Files automatically marked in AMP Database Information stored in AMP: Endpoint Information Supicious Files Policies & Custom Detections File Trajectory, Root Cause Reporting, IOC Scans AMP File Reputation Database Disposition (unknown, malicious, clean) Analysis Request (includes the file) Threat Grid Sandbox SHA256 Information stored in TG: Files Analysis Results and Reports File Reputation Check (includes SHA256, ETHOS, SPERO, DFC) File Fetch (suspicious file) File Analysis File Reputation AMP Connector (Endpoint) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 AMP Deployments Fully Public Cloud for Endpoints Malicious Files automatically marked in AMP Public Database Information stored in AMP: Endpoint Information, Files Policies & Custom Detections File Trajectory, Root Cause Reporting, IOC Scans AMP Public Cloud Threat Grid Public Cloud SHA256 Information stored in TG: Files and Device GUID Analysis Results and Reports Organization s Perimeter File Analysis File Reputation AMP Connector (Endpoint) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 AMP Deployments Hybrid Deployments for Endpoints Note: AMP for Endpoint does not support any Hybrid Deployment Modes!!! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 AMP Deployments Fully Private Cloud for Endpoints Information stored: AMP-PC GUID AMP Public Cloud SHA256 Organization s Perimeter Information stored on AMP-PC: Endpoint Information, Files Policies & Custom Detections File Trajectory, Root Cause Reporting, IOC Scans Malicious Files automatically marked in AMP Private Cloud Information stored on TGA: Files and Device GUID Analysis Results and Reports File Analysis File Reputation AMP Connector (Endpoints) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Cisco AMP Deployment Options Summary Most common deployment mode at non-us customers for AMP integrations. Deployment Option Fully Public AMP Public Threat Grid Private AMP Private Threat Grid Public Fully Private Cisco ESA Cisco WSA Cisco Firepower AMP for Endpoints Doesn t really make sense, right? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 AMP Private Cloud (AMP-PC) virtual Appliance Deployment Options AMP File Reputation database provides the foundation for the entire AMP solution AMP is provided as a public cloud service and usually consumed directly AMP-PC delivers the full cloud Feature Set with a dedicated instance at the customer s premise It s a solution build for environments with very high data privacy requirements AMP Private Cloud Appliance can be deployed in two ways: For Your Reference Proxy Mode AMP Public Cloud FR Data FR Data AMP Public Cloud Air-Gap Mode File Reputation Updates AMP Connector FR Data AMP Connector 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Cisco Threat Grid On-Premise Appliance Threat Grid provides consistent user experience from cloud to appliance (UI, API ) Threat Grid Appliances are equipped with massive amount of resources, being able to analyse a huge number of files in parallel Easy scaling with license upgrade from to submissions per day TG5004: Up to 1500 sample analysis / day Cisco UCS C220 M4 Chassis (1U) 6 x 1TB SAS HDD with LSI hardware RAID TG5504: Up to 5000 sample analysis / day Cisco UCS C220 M4 Chassis (1U) 6 x 1TB SAS HDD with LSI hardware RAID An Appliance for up to samples per day is planned to be released soon 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Cisco Threat Grid Appliance Introduction Clean Interface Manual file submissions via Web UI and automated API submissions Need to have connectivity to ESA/WSA and Firepower sensors Admin Interface Application management and monitoring Setup & Configuration Updates & Backup/Restore, Logging Dirty Interface Provides Internet connectivity for the VMs running malware Also leveraged for software updates For Your Reference 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Cisco Threat Grid Appliance Summary AMP Threat Grid Appliance All Samples are local All Artifacts are local No data is sent to the cloud Pivoting on Samples and Artifacts is Only based on local data AMP malicious marking can only be achieved on AMP PC and has only local relevance Submission Limits based on appliance platform and license AMP Threat Grid Cloud Samples are submitted either as Private or Public (depending on Tagging) Automated file submission (ESA, WSA, Firepower, AMP for Endpoints) are ALWAYS marked privately Public data can be pivoted on, but is still anonymous on who submitted the sample AMP malicious marking is done on the public cloud Virtually NO Submission Limits For Your Reference 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

36 Cisco AMP and Threat Grid for Content Security Security Solution

37 Cisco Security Complete Inbound Protection Reputation Filtering Drop Cisco TALOS Anti SPAM Anti Virus Drop/Quarantine Drop/Quarantine AMP Drop/Quarantine Content Filters Quarantine/Rewrite Outbreak Filters Deliver Quarantine Rewrite URLs Drop 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

38 ESA AMP & Threat Grid Process Flow Threat Grid in the Cloud 6. AMP Public Cloud Threat Grid Public Cloud Reputation Filtering Anti SPAM Anti Virus AMP Content Filters Outbreak Filters Cisco ESA sent from Internet 2. Accepted by ESA Appliance 3. passed through security stack on ESA 4. Threat intelligence from AMP Cloud used to determine if or attachments match malicious indicators (SHA Lookup) 5. If file is still suspicious, it is sent to cloud instance of AMP Threat Grid for analysis, message put to temporary quarantine 6. If AMP Threat Grid malware analysis determines that it has serious malicious behaviors and indicators, the AMP Cloud is updated (poked) to mark file as bad 7. ESA polls for analysis completed and releases message from temporary quarantine 8. ESA further processes file according to policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

39 AMP File Reputation Workflow Treated as unscannable Policy action for unscannable If AMP is not reachable No No File Able to parse attachment? Able to Yes Attachment Yes Yes is an archive unpack the file? archive file? Verdict Available in ESA cache? No Yes No Policy action for malware MALICIOUS Continue through workqueue Send CLEAN File reputation verdict? Query File Reputation Server Query Response AMP public/private File Upload & Pre- Classification Checks Send AMP upload action? UNKNOWN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

40 File Upload Criteria and Pre-Classification Continue through workqueue No No File Attachment meets file upload criteria? Yes Attachment contains dynamic content? Yes Policy Actions (File Analysis, Quarantine / Deliver) File Upload Criteria: Supported File Types Attachment size <= 100 MB 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

41 AMP on ESA File Types and Pre-Classification Number of supported file types has been enhanced with ESA version 11.1 (currently with Limited Availability), File Types are now on par with TG This will also be enhanced with WSA version 11.5 Before an unknown file is submitted the pre-classification engine scans it to select only files with active or suspicious content Pre-classification signatures Byte code rules that uncover suspicious indicators (see next slide) Signatures developed and updated by Talos, ESA/WSA/Firepower checks for new updates once every 30 minutes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

42 ESA Pre-Classification Applies also to WSA and Firepower File Pre-classification Submitted to Threat Grid Suspect File Normal File Not submitted to Threat Grid 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

43 AMP on ESA with Threat Grid Public Cloud Considerations If the file was submitted to Threat Grid cloud and got a Threat Score >= 95 then the Threat Grid cloud will update the file disposition in the AMP cloud for this SHA256 instantaneously On average a file is marked malicious within 7 minutes from its first occurrence on a global perspective ESA does not act on a Threat Score from Threat Grid Cloud directly ESA only waits for the analysis to finish, updates the file reputation cache and then sends the file through AV and AMP again Malware will be convicted by AMP FR due to the adjusted disposition!! From that point in time, all AMP customers will benefit from the updated file dispositions in the AMP cloud 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

44 AMP on ESA with Threat Grid Appliance Considerations Remember: TGA will NEVER send any information back to any cloud!! Other than in a TG Cloud based deployment, ESA receives a Disposition from the TGA TGA Disposition is either unchanged (Threat Score < 95) or malicious (TS 95) ESA still does not act on the Threat Score but on a derived disposition from TGA In this case, Malware will be convicted directly by TGA disposition!! This does have further implications: For hybrid Deployments, further AMP file reputation checks for the same SHA256 on the AMP cloud will still result in unknown disposition For fully on-premise Deployments, TGA integrates with AMP Private Cloud Appliance (AMP-PC) and does update dispositions there Those updated AMP-PC dispositions are only locally significant 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

45 Configuring AMP for ESA Enable AMP Services Security Services > File Reputation and Analysis You can choose whether to enable or disable two services: File Reputation (SHA-256) File Analysis (Threat Grid integration) Connectivity via TCP/32137 is recommended for initial setup Turns on File Analysis globally Turns on File Reputation globally Turns on File Types for FA globally 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

46 Configuring AMP for ESA Advanced Settings for File Reputation Can be left at defaults in most of the cases Possibility to work with AMP PC instance, Internet Proxies and via SSL TCP/443 Reputations Score is deprecated and soon to be removed from GUI Select Data Center and register at your AMP for Endpoints Console Keep defaults, configure proxy and/or use SSL based File Reputation checks Deprecated, please ignore these settings! AMP client ID and suppression of Retrospective Events for dropped messages 47

47 Configuring AMP for ESA Advanced Settings for File Analysis (TG Cloud) Defaults are valid for North America Threat Grid Cloud Alternatively select European Data Center or for Threat Grid Appliance In the future also used for selecting other Threat Grid Cloud Data Center Select TG Data Center or your own Threat Grid applicance More details on the FA Client ID in a sec Cisco and/or its affiliates. All rights reserved. Cisco Public 48

48 Configuring AMP for ESA Advanced Settings for File Analysis (TG Appliance) Selecting Private analysis cloud reveals more options Upload TGA self-signed certificate or issued certificate from PKI If organizations PKI is used, upload complete certificate chain TGA Hostname Install TGA Cert FA Client ID 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

49 Configuring AMP for ESA Incoming Mail Policy Mail Policies > Incoming Mail Policies Click on the link to change AMP-related policy settings 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

50 Configuring AMP for ESA Edit Incoming Mail Policy How to deal with Unscannable Attachments How to deal with File Analysis Submission limits How to deal with File Reputation unavailable How to deal with Malicious Attachments How should ESA handle Messages with Attachments currently in File Analysis Mailbox Auto Remediation, see next slides... General Policy options: Drop entire message Drop only attachment Modify message subject Add mail header Hold message in temporary quarantine 51

51 Mailbox Auto Remediation New Feature: Use Case and Overview The AMP engine on the ESA/ESAv provides reports for retrospective events (aka verdict changes) to let an administrator know if a file has evaded detection and was delivered to a users inbox, but was detected malicious later This feature goes beyond that and allows an administrator to configure the ESA/ESAv to interact with the Office 365 cloud ESA now is able to leverage API calls to pull the related messages and their malicious attachments from the user s inbox and quarantine them This automation allows for faster action to be taken upon discovery of message attachments that have evaded detection at the first place 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

52 Configuring AMP for ESA Mailbox Auto Remediation Systems Administration -> Mailbox Settings Configure your Office 365 Credentials Import Certificate For Your Reference Incoming Mail Policy -> Edit Configure Action to be taken as soon as a retrospective event is triggering 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

53 AMP Event Analysis AMP Malware Events Reporting > Advanced Malware Protection These statistics are intended to provide detailed AMP file reputation results AMP Summary, Numbers by Disposition Top Malicious Files, click on SHA-256 value to get more information for the file List of files (hashes) that were blocked by AMP, click on SHA-256 value to get more information for the file (see slide after next) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

54 Cisco AMP Threat Name Also called Spyname or Malware Name It s only visible in AMP Integrations (ESA/WSA/FP) It gives an indication about where the actual malicious disposition came from, i.e.: ClamAV Heuristic Rules Threat Grid sandbox Third Party comparison engine Analysis engines written by the Talos Team And many more Detailed descriptions posted here: Cisco and/or its affiliates. All rights reserved. Cisco Public 55

55 AMP Event Analysis AMP File Analysis Events Reporting > AMP File Analysis Completed File Analysis Requests Currently Running File Analysis Requests 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

56 AMP Event Analysis AMP File Analysis Details Reporting > Advanced Malware Protection Click on SHA256 to see summarized file analysis results from Threat Grid File Analysis Date & Time Behavioral Indicators fired during File Analysis Link to Message Tracking for this SHA256, a way to track delivery of message with this attachments Link to detailed TG Report for this file 57

57 AMP Event Analysis AMP File Analysis Quarantine Monitoring -> Policy, Virus and Outbreak Quarantines Click on Messages Column to see all messages currently in File Analysis Quarantine 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

58 AMP Event Analysis AMP File Analysis Quarantine Settings Monitoring -> Policy, Virus and Outbreak Quarantines Click on File Analysis opens the Quarantine Settings Quarantine Retention Time: Seatbelt for not keeping Messages in Quaratine forever Action to take if Retention Timer expires, usually ESA releases and further processes the Message 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

59 AMP on ESA in action 1 week of Evaluation Results Real Life example: users organization CES for Security AMP license activated for eval Here we ve seen the opposite: almost AV hits more than hits by AMP BUT this was not a regular week Looking at a week with usual mail traffic, AMP still provides huge value 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

60 AMP on ESA in action Two weeks, mail users, more detailed analysis (scan_amp-log.sh) File Reputation File Analysis Retrospection ======================================= AMP file reputation results ==================== Number of files extracted from mails: Number of AMP reputation responses from cloud: Number of AMP reputation responses from cache: Number of files with AMP disposition MALWARE - DROPPED: 1259 Number of files with AMP disposition CLEAN - PASSED: 4188 Number of files with AMP disposition UNKNOWN: ======================================= AMP upload_action ============================== Number of unknown files not to be uploaded (0): 147 Number of unknown files not to be uploaded (2): Number of unknown files to be uploaded (1): ======================================= Threat Grid results ============================ Number of files already uploaded or known to the Threat Grid server: 332 Number of all file submissions to the Threat Grid server: 3830 Number of files successfully analyzed in the Threat Grid server: 3830 Number of analyzed files with threat score = 0 - NOT DROPPED after sandboxing: 3230 Number of analyzed files with threat score <95 - NOT DROPPED after sandboxing: 582 Number of analyzed files with threat score >95 - DROPPED after sandboxing: 18 ======================================== Retrospective events ========================== Number of files with retrospective disposition changes to MALICIOUS: 159 ======================================================================================== Yes, we do provide the scripts for detailed ESA amplog analysis. Just ask Cisco and/or its affiliates. All rights reserved. Cisco Public 61

61 Cisco AMP and Threat Grid for Content Security Web Security Appliance

62 Cisco Web Security Complete Inbound Protection WWW URL Filtering Block Cisco TALOS Reputation Filtering Dynamic Content Analysis Anti Malware Engine Block/Warn Block/Warn Block Anti Virus Engines Block AMP Allow Warn Filter Block 63

63 WSA AMP & Threat Grid Process Flow Threat Grid in the Cloud 7. WWW AMP Public Cloud Threat Grid Public Cloud URL Filtering Reputation Filtering Dynamic Content Analysis Anti Malware Engine Anti Virus Engines AMP Cisco WSA Web page content from Internet 2. Directed through WSA Appliance 3. Content passed through security stack on WSA 4. Threat intelligence from AMP Cloud used to determine if page object matches malicious indicators (SHA Lookup) 5. If object is unknown and qualifies, it is sent to Threat Grid cloud for analysis WSA does not wait for results from TG and allows object to be delivered 7. If AMP Threat Grid malware analysis determines that it has serious malicious behaviors and indicators, the AMP Cloud is updated (poked) to mark file as bad 8. Poking also leads to a Retrospective Event 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

64 Configuring AMP for WSA Enable AMP Services Security Services > Anti-Malware and Reputation Settings You can choose whether to enable or disable two services: File Reputation (SHA-256) File Analysis (analyse the file in TG) Very similar to ESA and AMP Advanced Settings are exactly the same as we ve described for ESA Turns on File Reputation globally Turns on File Analysis globally Turns on File Types for FA globally 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

65 Configuring AMP for WSA AMP Services Advanced Settings Select Data Center and Register WSA at your AMP for Endpoints Console, more details in a sec... Configure Upstream Proxy for File Reputation Checks AMP Client ID File Analysis Client ID 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

66 Configuring AMP for WSA Access Policy Web Security Manager > Access Policies Click on the link to change AMP-related policy settings 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

67 Configuring AMP for WSA Access Policy Web Security Manager > Access Policies Click on the link to change AMP-related policy settings Turns on File Reputation on Traffic matching this Access Policy Select the Action to take for malicious objects 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

68 AMP Event Analysis Malware Events on WSA Details for blocked transaction for user "dave" 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

69 Accesslog - Example for Malicious File SHA-256 is known as malicious to the Cloud fd00:1:2:3::1 TCP_DENIED/403 0 GET "sales@falconlab" DIRECT/valouweeigenaren.nl application/zip BLOCK_AMP_RESP_12-PO.FALCONLAB-ID.FALCONLAB-NONE-NONE-NONE- DefaultGroup <nc,-6.9,-,"-",-,-,-,1,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"amp High Risk","othermalware","Unknown","Unknown","-","-",0.00,0,Local,"-",,37,"BBGG:Trojan3-tpd,0,0,"df zip","ce3fbaa76e bf759b51ddd08018f2c567e1f6016aeb 8938eecb05d63dd"> - Return Code (0=Clean) Threat Name Threat Verdict Code File requested to be uploaded for analysis? (0=not req) Filename SHA-256 of the File 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

70 AMP on WSA includes Cognitive Threat Analytics NEW: Cognitive Threat Analytics is included in AMP License for WSA and in AMP for Endpoint License CTA provide cloud-based Threat Analytics with actionable reports for Security Operations See the following sessions for more details: BRKSEC-2444 CTA - detecting advanced malware with machine learning (CL 2017) LTRSEC-2200 You Got Hacked! Here is What To Do (AMP For Endpoints, Threat Grid, CTA...) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

71 Recent Enhancements for AMP Integrations

72 Introducing AMP Unity Manages for Endpoints: Endpoint Policies Black & White Lists Exclusions Provides for Endpoints Device Trajectories File Trajectories Retrospection Manages for Network: Network Policies Black & White Lists Provides for Network File Trajectories Retrospection Manages for Content: Content Policies Black & White Lists Provides for Content File Trajectories Retrospection AMP for Endpoints Cisco Firepower (FMC) Cisco ESA & WSA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

73 AMP Unity Enhanced Operational Visibility and Control Systems Security Team Consolidation of connector events in AMP Console Regardless of connector type Visibility into the threat vector Policy Management for all AMP Connectors Event Sync Firepower Management Center Network Security Team Visibility into AMP Events at the Endpoint AMP for Endpoints Cisco Firepower (FMC) Cisco ESA & WSA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

74 How does AMP Unity work? In the past, AMP Integrated Connectors registered anonymously to AMP Cloud and Threat Grid Now ESA, WSA and Firepower devices are able to register to the customers environment Self-registration at AMP for Endpoints Console for File Reputation Per Service Request at Threat Grid Premium Portal for File Analysis (automated selfregistration already available for Firepower, coming soon for ESA and WSA) Self-registration is supported with the following software: ESA 11.1 WSA 11.5 Firepower AMP Unity provides full visibility into file activities for all AMP Connectors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

75 Integrating Connectors into AMP This applies to all Integrations (ESA, WSA, Firepower) AMP Client ID identifies individual file reputation checks per device Devices registering at AMP Cloud using their individual AMP Client ID AMP for Endpoints ID identifies the device in AMP Console and shows up as an integrated application 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

76 AMP Unity Full Visibility into the Threat Vector Then it was observed on the Security Solution And finally stored on the Endpoint First, it traversed the Next Gen Firewall Infrastructure 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

77 Integrating Connectors into Threat Grid This applies to all Integrations (ESA, WSA, Firepower) File Analysis Client ID identifies individual file submissions per device Devices registering at TG Cloud using their individual FA Client ID FA Client ID can be leveraged to bind device submissions to a TG Cloud content subscription (access to TG Cloud Portal and API) Provides the ability to see samples submitted by devices (ESA, WSA, Firepower) Cloud content subscription also provides manual submissions, analysis and sample interactions (Glovebox) Note: Association of customer s FA Client ID s to customer s TG Cloud Portal is still a manual process and has to be requested via TAC Service Request!!! FA Client ID is also used to register a device at the TG Appliance Device registers a new User at TGA with TG Client ID as the Username This new User must be activated, otherwise TGA will not accept submissions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

78 Integrated Connector Registration ESA Registration to Threat Grid During initial AMP configuration the device registers at Threat Grid Cloud or Appliance Registration with FA Client ID to Threat Grid Cloud Registration with FA Client ID to a Threat Grid Appliance 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

79 Integrated Connector Registration Integrated Connectors assigned to Customer s organization Integrated Connectors and regular Users show up in the Organization at TG Firepower Connector ESA Connector WSA Connector FMC Connector Regular User 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

80 Full File Analysis Visibility for the entire Organization Threat Grid Sample Manager Filtering based on file source Who submitted the file 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

81 Cisco AMP and Threat Grid for Endpoint Security

82 AMP for Endpoint Just a quick recap Disposition Malicious Files automatically marked in AMP Database AMP File Reputation Database Disposition (unknown, malicious, clean) Analysis Request (includes the file) Threat Grid Sandbox SHA256 File Analysis File Reputation File Reputation Check (includes SHA256, ETHOS, SPERO, DFC) File Fetch (suspicious file) AMP Connector (Endpoint) AMP Connector: No local definitions Minimal resource usage Approx 30 MB RAM 150 MB HDD 1GB if using TETRA Engine 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

83 Threat Grid in AMP for Endpoints How files are submitted for File Analysis from Endpoints? Threat Grid Integration into AMP for Endpoints focuses exclusively on Executables, no other files will ever be submitted for sandboxing automatically Low Prevalence Process to select files to be submitted for File Analysis in Threat Grid automatically Prevalence How widely spread is a File on a global perspective Files get tagged by Low Prevalence if they are only seen on a very low number of Endpoints, thus they represent an Anomaly Those Low Prevalence Executable will be automatically submitted to Threat Grid Additionally, an Administrator can also initiate a File Analysis manually AMP Console fetches File from Endpoint AMP Console submits the file for analysis and presents results 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

84 AMP for Endpoints File Analysis Automatic Sample Submissions with Low Prevalence Files Analysis -> Prevalence Shows all Low Prevalence Files Enable/Disable/Configure Automatic File Analysis File Information with Number or ocurrences, Report and Links to File and Device Trajectory Select/De-Select Endpoint Groups for Automatic File Analysis 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

85 AMP for Endpoints File Analysis Manual File Submissions Administrator selects File in File Trajectory to be fetched from an Endpoint 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

86 AMP for Endpoints File Analysis Manual File Submissions Administrator selects File in File Trajectory to be fetched from an Endpoint 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

87 AMP for Endpoints File Analysis Manual File Submissions Administrator selects File in File Trajectory to be fetched from an Endpoint 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

88 AMP for Endpoints File Analysis Manual File Submissions Administrator selects File in File Trajectory to be fetched from an Endpoint As soon as the file fetch is initiated, the file will show up in the file repository 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

89 AMP for Endpoints File Analysis Manual File Submissions After successful file fetch, the file will show up as available Currently no file analysis result is available, hit the Analyze button to submit this file to Threat Grid Threat Grid then runs the file and you may leverage your TG Portal to interact with the sample during analysis and to view detailed results after finishing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

90 Threat Grid Public Cloud Submissions Public and Private Tags Every Sample submitted to Threat Grid Cloud gets tagged: Public Sample will be visible to the World (each TG User can access all the details of the report) Private Sample is only visible to the submitting Organization All automated Submissions from all the Integrations are always marked private Public/Private Tags are shown in the Sample Analysis View of the Threat Grid Portal 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

91 Threat Grid Analysis Results The Threat Grid Analysis Report provides a detailed view to: Meta Data Behavioural Indicators Network Activity Processes Artifacts Registry Activities File Activities User the Navigation Bar at the top to jump in to the sections TG also provides: Video of the VM session PCAP from all Network Activities Export the Report in various formats Download the Sample and all the Artifacts 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

92 Enhancing Incident Research and Response Capabilities in Cisco s AMP Solution

93 Introducing AMP Visibility A new integrated Security Orchestration Tool Single Pane of Glass across multiple IR Tools Combines external Threat Intelligence and internal Log Data via Enrichment Modules Threat Data Threat Data Threat Data External Threat Intelligence is integrated from Cisco and 3 rd Party Sources Reduces Incident triage and Mitigation time by integrating various remediation actions Threat Data & Control Control Actions Control Actions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

94 AMP Visibility Enrichment Modules AMP Visibility supports three Threat Intelligence Modules out of the box AMP Global Intel AMP File Reputation Talos Intelligence Additional Threat Intel Modules can be activated with customer accounts Threat Grid internal and external Threat Intel Virus Total external Threat Intel Modules with internal Threat Intel and Control Actions AMP for Endpoints Cisco Umbrella (OpenDNS) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

95 Let s have a quick demonstration of AMP Visibility

96 AMP Visibility Integration New IR capabilities in AMP for Endpoints Console 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

97 Conclusions

98 Sandboxing is not a Silver Bullet Technology, but Threat Grid is integral Part of a Swiss Army Knife Cisco Threat Grid is not just a Sandbox, it: is deeply Integrated into all other Cisco Security Product Lines is a global Threat Intelligence Engine provides rich Context for Incident Research activities Advanced Malware Protection is a key Component to the entire Cisco Security Portfolio Cisco AMP Visibility accelerates Incident Research by ingesting various external and internal Threat Intelligence supporting Cisco and 3 rd Party Products and Services leveraging AMP and Umbrella Remediation capabilities 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

99 Questions

100 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

101 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

102 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

103 Thank you

104 Agenda Introduction M 10 min Understanding the Cisco AMP Architecture and Threat Grid R 20 min Cisco AMP and Threat Grid for Content Security M 30 min ESA M 20 min WSA M 10 Recent Enhancements for AMP Integrations R 15 min Cisco AMP and Threat Grid for Endpoint Security R 15 min Enhancing Incident Research and Response Capabilities M 10 min Demo R 5 min Conclusions M 5 min Reserved 10 min

105 Based on what we ve just learned How effective are AMP Capabilities at various Platforms? Capability File Reputation File Analysis File Retrospection Cisco ESA Active blocking at transport Active blocking with message quaratine Manual or automatic remediation with O365 Cisco WSA Active blocking at transport Informative, manual remediation Informative, local, manual remediation Cisco Firepower Active blocking at transport Generates IOC s, remediation via SIEM Generates IOC s, remediation via SIEM AMP for Endpoints Active quarantine at disk activity Active quarantine based on Analysis Active quarantine at time of retrospective event Remember, you can complement with CTA!! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

106 Appendix A Threat Grid Feeds Descriptions

107 Threat Grid Feeds Feed Name autorun-registry banking-dns dll-hijacking-dns doc-net-com-dns downloaded-pe-dns dynamic-dns irc-dns modified-hosts-dns parked-dns public-ip-check-dns ransomware-dns rat-dns scheduled-tasks sinkholed-ip-dns stolen-cert-dns Short Description Contains registry entry data derived from querying registry changes known for persistence Banking Trojan Network Communications Feed contains Domains communicated to by samples leveraging DLL Sideloading and/or hijacking techniques Document (PDF, Office) Network Communications Samples Downloading Executables Network Communications Samples Leveraging Dynamic DNS Providers Internet Relay Chat (IRC) Network Communications Modified Windows Hosts File Network Communications Parked Domains resolving to RFC1918, Localhost and Broadcast Addresses Check For Public IP Address Network Communications amples Communicating with Ransomware Servers Remote Access Trojan (RAT) Network Communications Feed containing scheduled task data observed during sample execution DNS entries for samples communicating with a known dns sinkhole DNS Entries observed from samples signed with a stolen certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108