Cisco Security Advanced Malware Protection Guillermo González Security Systems Engineer Octubre 2017
The New Security Model Attack Continuum Before During After Before Discover During Detect After Scope Enforce Harden Block Defend Contain Remediate Threat intelligence and analytics Point-in-Time detection Retrospective security and continuous analysis Email and Web Data Center/Servers Network Endpoints Mobile
Gain security backed by the most advanced threat intelligence 100 TB Of Data Received Daily 1.5 MILLION Daily Malware Samples 600 BILLION Daily Email Messages WEB III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00 NETWORK ENDPOINT III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I 250+ Full Time Threat Intel Researchers MILLIONS Of Telemetry Agents 4 Global Data Centers 16 BILLION Daily Web Requests VIRTUAL CLOUD Over 100 Threat Intelligence Partners 24 7 365 Operations EMAIL Global scanning 30 years building the world s networks
Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence Cisco Collective Security Intelligence 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 110 101000 0110 00 0111000 111010011 AMP Threat 101 1100001 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1100001110001110 1001 1101 1110011 0110011 10100 Intelligence Cloud WWW Email Endpoints 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints Team of engineers, technicians, and researchers 35% worldwide email traffic Web 13 billion web requests 24x7x365 operations 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP Community Private/Public Threat Feeds Networks IPS Talos Security Intelligence AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Devices Automatic Updates in real time AMP Advanced Malware Protection
AMP Plan A: The Prevention AMP Plan B: Retrospective Security Device Flow Dynamic 1-to-1 Signatures Spero (Machine Learn) Correlation Analysis Ethos (Polimorph) Reputation Filtering IOCs Advanced Analytics Behavioral Detection All Methods < 100% Detection
Continuous Analysis and Retrospective Security Breadth and Control points: WWW Email Endpoints Web Network IPS Devices Telemetry Stream Retrospective Detection Behavioral Indications of Compromise Trajectory Threat Hunting File Fingerprint and Metadata Continuous feed File and Network I/O Process Information 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Talos + Threat Grid Intelligence Continuous analysis
Cisco AMP Cisco AMP gives you the answers for the most common questions after a Breach Continuous Looks ACROSS the organization and answers: When did it happen? Where is patient 0? What systems were infected? What was the entry point? What else did it bring in? www.cisco.com/go/amp
The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense AMP Threat Intelligence Cloud Remote Endpoints AMP for Endpoints AMP for Networks (AMP on Firepower NGIPS Appliance bundle) Threat Grid Malware Analysis + Threat Intelligence Engine AMP Private Cloud Virtual Appliance AMP on Cisco NGFW Firewalls AMP for Endpoints AMP on Web and Email Security Appliances AMP on ISR with Firepower Services Windows OS Android Mobile Virtual MAC OS AMP for Endpoints can be launched from AnyConnect CentOS, Red Hat Linux for servers and datacenters CWS/CTA AMP on Cloud Web Security and Hosted Email
Cisco AMP AMP Everywhere INTERNET INTERNET WSA/CWS blocks by URL or content via proxy WEB TRAFFIC ALL OTHER TRAFFIC EMAIL TRAFFIC ESA/CES blocks by sender or content CWS blocks by URL or content via proxy WEB TRAFFIC ALL OTHER TRAFFIC EMAIL TRAFFIC ESA/CES blocks by sender or content ASA / Firepower Meraki blocks inline by IP, URL or packet OpenDNS blocks by domain as well as IP or URL OpenDNS blocks by domain as well as IP or URL ON NETWORK OFF NETWORK
How it works Check hash AMP Internet AMP Connector ThreatGrid Connector Submit file
AMP Threat Intelligence Cloud MALICIOUS AMP on ESA CLEAN UNKNOWN 8A8116429189D 6MALICIOUS Score < > 91 90 31FC0059627... Malware Sandbox NGFW DMZ Security 2 Cisco ESA Email Security Appliance with AMP Security Web Proxy DMZ Security Cisco FMC Log Vulnerability Management Management Admin Network NGIPS Mail Server NGIPS File Server DMZ Production Users Network SOC / NOC
Cisco Email Security Talos Cisco Before During Cloud Appliance After Virtual Inbound Email Email Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus File Reputation ThreatGrid Graymail Management Safe Unsubscribe Content Controls URL Rep & Cat Outbreak Filters Anti-Phish File Sandboxing & Retrospection Tracking User click Activity (Anti-Phish) X X X X X X X X Outbound Email Outbound Liability Before X X During X X HQ Admin Management Reporting Message Track Mail Flow Policies Anti-Spam and Anti-Virus Data Loss Protection Encryption Allow Warn Block Partial Block
AMP with ThreatGrid ESA AMP Client Heartbeat retrospective Cisco Talos AMP Cloud AMP connector Local Cache File Reputation Query Email Pre- Classification Sandbox connector Local AV Scanners Disposition Query Update the Cache with disposition value & upload_action 2 Qualified File, upload for Sandboxing AMP feedback loop only for Malicious Files Cisco AMP ThreatGrid Starting with the 9.5 version of code, public cloud and local sandboxing is supported
Plan B: Security Retrospective AMP for Networks www.cisco.com/go/amp
AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage Focus on these users first Who These applications are affected What The breach affected these areas Where This is the scope of exposure over time When How Here is the origin and progression of the threat