Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco Connect Toronto 2018 sixty to zero

176 views

Published on

Cisco connect toronto 2018 sixty to zero

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cisco Connect Toronto 2018 sixty to zero

  1. 1. AMP CANADA V2 Automating your Security with Cisco Canada • October 2018 Zero to Sixty Sean Earhard Advanced Threat Solution Specialist 647-988-4945 / seearhar@cisco.com Hussain Mohammed Advanced Threat Solutions CSE 514-623-3779 / mohhuss3@cisco.com
  2. 2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Actionable info on how organizations of any size are automating their most common and challenging security tasks Agenda
  3. 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Must automation=work?
  4. 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ( )p i tes effective security protection information time x= + what is required for security to be automated? what happens when security is 99% effective?
  5. 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic verb 1. to imitate or copy in action
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 automation examples
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential There are many broad models
  8. 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Model: F3EAD
  9. 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: Hunt for threats inside the environment • Find: Identify dormant or active files inside the environment that are threats • Fix: Verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  10. 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential React to alerts or user tickets, identify target machine(s), remove machines from service, verify and/or or reimage, add blocking to consoles, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat…
  11. 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and…
  12. 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: Cisco AMP Continuous Analysis and Retrospective Detection Patented technology that—even after a file is initially inspected—continues to compare the files inside your environment with the global threat landscape. By correlating your history with the latest threat intelligence from Talos, hunts inside your environment to expose and block threats.
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential THREATGRID Cisco AMP The largest commercial threat intelligence team in the world AMPThreat Intelligence Cloud AMP for Email AMP for Network Firewall & IPS AMP for Web AMP for Meraki MX DNS Umbrella AMP for Endpoints Continuous Analysis and Retrospective Detection correlate the latest threat intel with the history of your environment
  14. 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMOAMP FOR ENDPOINTS
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/en/us/products/security/amp-for- endpoints/index.html Know More: AMP for Endpoints
  16. 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: Hunt for Anomalous Events • Find: Anomalies • Fix: Verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Time and research and patience and testing and verification and reducing the noise and chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and more time and more research and more patience and more testing and more verification and more reducing the noise and more chasing false positives and…
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: Cognitive Intelligence Analyzing billions of web requests daily, Cognitive Intelligence uses machine learning to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media or IoT devices), and is operating inside an organization’s environment.
  19. 19. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA Identify suspicious traffic with Anomaly Detection Normal Unknown Anomalous HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Anomaly Detection 10B+ requests are processed daily by 40+ detectors Each detector provides its own anomaly score Aggregated scores are used to segregate the normal traffic
  20. 20. Layer 1 Layer 2 AMP CTA AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Reduce false positives with Trust Modeling Anomalous Normal Unknown Unknown Normal Unknown Unknown Unknown HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Trust Modeling HTTP(S) requests with similar attributes are clustered together Over time, the clusters adjust their overall anomaly score as new requests are added
  21. 21. Layer 1 Layer 2 AMP CTA AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA Categorize requests with Event Classification Keep as legitimate Alert as malicious Keep as suspicious HTTP(S) Request HTTP(S) Request HTTP(S) Request Media website Software update Certificate status check Tunneling Domain generated algorithm Command and control Suspicious extension Repetitive requests Unexpected destination Event Classification 1,000+ classifiers are applied to a small subset of the anomalous and unknown clusters Requests’ anomaly scores update based on their classifications
  22. 22. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relatio CTA Attribute anomalous requests to endpoints and identify threats with Entity Modeling HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request THREAT Entity Modeling A threat is triggered when the significance threshold is reached New threats are triggered as more evidence accumulates over time
  23. 23. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Lay File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA Company B Company C Determine if a threat is part of a threat campaign with Relationship Modeling Attack Node 1 Attack Node 2 Company A Company A Company A Phase 1 Phase 2 Phase 3 Threat Type 1 Threat Type 1 Threat Type 2 Incident Incident Incident Incident Similarity Correlation Infrastructure Correlation Company B Company C Company B Company C Incident Incident Incident Incident Incident Incident Incident Incident Global behavioral similarity Local behavioral similarity Local & global behavioral similarity Shared threat infrastructur e Entity Modeling
  24. 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMOCOGNITIVE INTELLIGENCE
  25. 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/en/us/products/security/cognitive-threat- analytics/index.html Know More: Cognitive Intelligence
  26. 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: The Hunt for Exploit Attempts • Find: Suspicious Events – Exploit attempts • Fix: verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and more rules and…
  28. 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: AMP for Endpoints Exploit Prevention Monitors process and disk activity for specific behaviors associated to key stages in ransomware execution—beginning with file download and execution, through to file encryption. When a process begins to exhibit those behaviors, malicious activity protection terminates it.
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Applications in a modern operating system based on virtual memory all access their own address space, which the system then maps to locations in physical memory and/or in the VM file on disk.
  30. 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Make the memory unpredictable by changing the memory structure Make the app aware of legitimate memory structure Any code accessing the old memory structure is malware
  31. 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: Hunt for Ransomware Encryption • Find: Ransomware encryption activity • Fix: verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  32. 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  33. 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: AMP for Endpoints: Malicious Activity Protection (MAP) Analyzing billions of web requests daily, Cognitive Intelligence uses machine learning to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media or IoT devices), and is operating inside an organization’s environment.
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Endpoint Network Dropper C2 Callbacks Payloads Command and Control Dropper Executes Email Opened File Encryption Delete Shadow Copies Payload Download Succeeds Key Exchange Email Payload Download Attempts 18 26 False Negatives Blocks Dropper Arrives User calls the helpdesk to ask why IT is encrypting the machine
  35. 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMOEXPLOIT PREVENTION AND MALICIOUS ACTIVITY PREVENTION
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/en/us/products/security/cognitive-threat- analytics/index.html • Overview: https://blogs.cisco.com/security/secure-your-endpoints-against- ransomware-introducing-malicious-activity-protection Know More: AMP for Endpoints Exploit Prevention Malicious Activity Protection
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  38. 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: Hunt for Threats in Encrypted Traffic • Find: Malware inside encrypted traffic • Fix: verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential “You can’t see what?”
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: Encrypted Traffic Analytics With intraflow telemetry captured on Catalyst 9000 switches and ISR 4000 and ASR 1000 routers, Cisco hunts for malware in encrypted traffic.
  41. 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  42. 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise- networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs- wp-cte-en.pdf Know More: Encrypted Traffic Analytics (ETA)
  43. 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: Dynamic Threat Containment • Find: Evidence of a compromise • Fix: verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  44. 44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: Rapid Threat Containment Use the open integration of Cisco security products, technologies from Cisco partners, and the extensive network control of the Cisco Identity Services Engine (ISE) to dynamically respond to compromises.
  45. 45. Rapid Threat Containment in Action Get Answers Faster Use Cisco® Platform Exchange Grid (pxGrid) partner technologies to find threats faster Stop Attacks Faster Use the network to contain attacks manually or automatically Protect Critical Data Faster Dynamically restrict access permissions or remove a device as its threat score worsens SIEM Firepower Firewall Custom Detection Stealthwatch Network Switch Router DC FW DC SwitchWireless Network as an Enforcer ThreatSecurity Intelligence Automatic or Initiated by IT Admin ~5 Seconds ISE pxGrid
  46. 46. I0I0 0I00 I00I I0I0 0I00 I00I I0I0 0I00 I00I Rapid Threat Containment  Access privileges dynamically change with threat or vulnerability score  Ratings based on open, structured expressions STIX: Structured Threat Information Expression AMP CVSS: Common Vulnerability Scoring System Access Policy Cisco ISE Destination Worker Guest Finance E-mail Internet Remediation Source Worker Guest Risk L1 Risk L2 Risk L3 Risk L4 Insignificant Worker has open access to other workers, finance, email, and internet1
  47. 47. Rapid Threat Containment  Access privileges dynamically change with threat or vulnerability score  Ratings based on open, structured expressions I0I0 0I00 I00I I0I0 0I00 I00I I0I0 0I00 I00I AMP Cisco ISE Distracting Destination Worker Guest Finance E-mail Internet Remediation Source Worker Guest Risk L1 Risk L2 Risk L3 Risk L4 Access Policy STIX: Structured Threat Information Expression CVSS: Common Vulnerability Scoring System Malware on the device is identified by AMP for Endpoints2
  48. 48. Rapid Threat Containment I0I0 0I00 I00I I0I0 0I00 I00I I0I0 0I00 I00I  Access privileges dynamically change with threat or vulnerability score  Ratings based on open, structured expressions Painful AMP Access Policy Cisco ISE Destination Worker Guest Finance E-mail Internet Remediation Source Worker Guest Risk L1 Risk L2 Risk L3 Risk L4 STIX: Structured Threat Information Expression CVSS: Common Vulnerability Scoring System Threat activity escalates (ping sweeps) which changes risk profile3
  49. 49. Rapid Threat Containment  Access privileges dynamically change with threat or vulnerability score  Ratings based on open, structured expressions I0I0 0I00 I00I I0I0 0I00 I00I I0I0 0I00 I00I AMP Cisco ISE Damaging Destination Worker Guest Finance E-mail Internet Remediation Source Worker Guest Risk L1 Risk L2 Risk L3 Risk L4 Access Policy STIX: Structured Threat Information Expression CVSS: Common Vulnerability Scoring System Lateral attacks trigger another increase in risk profile4
  50. 50. Rapid Threat Containment  Access privileges dynamically change with threat or vulnerability score  Ratings based on open, structured expressions I0I0 0I00 I00I I0I0 0I00 I00I I0I0 0I00 I00I AMP Cisco ISE Convicted Destination Worker Guest Finance E-mail Internet Remediation Source Worker Guest Risk L1 Risk L2 Risk L3 Risk L4 Access Policy STIX: Structured Threat Information Expression CVSS: Common Vulnerability Scoring System Device is isolated in the Remediation security group5
  51. 51. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/en/us/solutions/enterprise- networks/rapid-threat-containment/index.html Know More: Rapid Threat Containment
  52. 52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: Sharing Threat Intel Between Vendors • Find: Evidence of a compromise • Fix: verification of the targets • Finish: Take action against the attack • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  53. 53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Memorize every console and jump between them as fast as you can… …or… buy a SIEM and… connect that SIEM to all the things and… get the SIEM producing and… keep that SIEM producing
  54. 54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: Threat Grid Accelerate malware threat detection and response with a powerful API that integrates and automates existing security products and processes.
  55. 55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Supported Integrations & PartnersAMP Solutions Select Recipe Integrations Select Threat Feed Integrations Glove Box interactive malware lab Automated correlation of behavior between samples 2-way API integration with non-Cisco tools Advanced file analysis Cisco AMP Threat Grid Cloud
  56. 56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Supported Integrations & PartnersAMP Solutions Select Recipe Integrations Select Threat Feed Integrations Glove Box interactive malware lab Automated correlation of behavior between samples 2-way API integration with non-Cisco tools Advanced file analysis Cisco AMP Threat Grid Appliance
  57. 57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMOTHREAT GRID
  58. 58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/en/us/products/security/threat- grid/index.html Know More: Threat Grid
  59. 59. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mimic: The full lifecycle of Incident Response • Find: Evidence of a compromise (picking up the scent) • Fix: verification of the targets (following the scent) • Finish: Take action against the attack (eradicating the source) • Exploit: Collect the information generated from the finish phase • Analyze: Develop the information collected by fusing it with broader intelligence to gain a deeper understanding of the threat and actor. • Disseminate: Publish the results to feed back into the initial (Find) stage
  60. 60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Find: Threat intel (external) Fix: Match to targets in your environment (internal) Finish: Stop the attack (internal) Exploit: Collect internal intel from the finish stage (internal) Analyze: Add external info to deepen understanding (external) Disseminate: Publish the results to repeat the Find phase (internal)
  61. 61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Solution: Cisco Threat Response Simplifies security investigations and incident response. It aggregates threat intelligence, enriches that intelligence with context from your organization, and shows where you’re impacted. And it places response actions right at your fingertips.
  62. 62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential UNSTRUCTURED SNAP- SHOTS CASE- BOOKS QUERY ALL ONE-CLICK QUERY ALL ONE-CLICK PORTABLE CTR DISSEMINATEANALYZEEXPLOITFINISHFIXFIND SOURCES SOURCES SOURCES TOOL TOOL TOOL TOOL TOOL TOOL TOOL SOURCE SOURCE SOURCE SOURCE SOURCE SOURCE SOURCE ACTION ACTION ACTION ACTION ACTION ACTION ACTION PIVOT PIVOT PIVOT PIVOT PIVOT PIVOT PIVOT 1.8 or…
  63. 63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DEMOCISCO THREAT RESPONSE
  64. 64. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Overview: https://www.cisco.com/c/en/us/products/security/threat- response.html Know More: Cisco Threat Response (CTR)
  65. 65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CONCLUSION
  66. 66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ( )p i tes effective security protection information time x= + what is required for security to be automated? what happens when security is 99% effective?

×