SlideShare a Scribd company logo

AMP_Security_ Malware Protection Presentatiion

Download as PPTX, PDF
S
SohanGole1

AMP Security

Technology
1 of 74
Cisco Advanced Malware Protection Executive – Security & Availability Solutions September 2016
• The Threat Landscape • The New Security Model • Talos & CSI – Collective Security Intelligence • Advanced Malware Protection (AMP) • Plan A & Plan B • AMP for Network Example Agenda • AMP for Endpoint • AMP for Content • Deployment Option • AMP Threat Grid • Summary
The Threat Landscape
Malware Will Get Into Your Environment Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute. 60% of data stolen in hours 65% of organizations say attacks evaded existing preventative security tools $5.9M Average cost of a breach in the United States
Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute. Once Inside, Organizations Struggle to Deal with It 33% of organizations take 2+ years to discover breach 55% of organizations unable to determine cause of a breach 45 days Average time to resolve a cyber-attack 54% of breaches remain undiscovered for months
Viruses 1990-2000 Worms 2000-2005 Spyware and Rootkits 2005-Today APTs Cyberware Today + 1990 1995 2000 2005 2010 2015 2020 Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape of large companies targeted by malicious traffic 95% of organizations interacted with websites hosting malware % 100  Cybercrime is lucrative, barrier to entry is low  Hackers are smarter and have the resources to compromise your organization  Malware is more sophisticated  Organizations face tens of thousands of new malware samples per hour The Reality Organizations Are Under Attack and Malware Is Getting in
What would you do differently if you KNEW you were going to be compromised?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 John Chambers Chairman, Cisco “Our AMP portfolio is the core differentiation we have as a company.” Security is Cisco’s #1 priority $B’s Invested in Advanced Security acquisitions: Adv. Threat Detection Security Analytics Malware Analysis / Threat Intel Security Advisory / Response Cloud-based DNS Security Context-Aware Security Analytics
The New Security Model
Why we need a new approach? Gaps In Protection! vs   Fragmented offerings across multiple vendors Streamlined advanced security solution Cost Lower opex and easier to manage Higher total cost to build and run Overall performance Less communication between components Better communication and integration Time to detection Faster time to detection More lag in finding threats
• Malware no longer infects as individual files • The initial virus is often bespoke – custom written for a single attack campaign - Polymorphism • Once the infection has taken place, more unique malware is downloaded and the cycle is repeated. • The bad-guys are clever, resourceful and well motivated Why has point-in-time detection failed? Sandboxing is Not a Silver Bullet • Sandboxing is an excellent informational engine, but stumbles as a protection mechanism • Can only detect threats which act in a suspicious manner quickly • Cannot assess danger until the damage has been done. • Can easily be overwhelmed
Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Initial Disposition = Clean Cisco AMP Blind to scope of compromise Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Blocked Retrospective Detection, Analysis Continues Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No Visibility Into Threats Once They Get in
Continuously Rapidly + • Prevention • Detection • Containment • Remediation Breach
Visibility and Context The New Security Model ASA FirePOWER/ Meraki MX Cisco ISE NGIPS WSA/CWS ESA/CES ThreatGrid BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Attack Continuum Detect Block Defend DURING Advanced Malware Protection Cyber Threat Defense
TALOS
MULTI-TIERED DEFENSE
Threat Intelligence and Advanced Analytics The Numbers  1.6 million global sensors  100 TB of data received per day  150 million+ deployed endpoints  Experienced team of engineers, technicians, and researchers  35% worldwide email traffic  13 billion web requests  24x7x365 operations  4.3 billion web blocks per day  40+ languages  1.1 million incoming malware samples per day  AMP Community  Private/Public Threat Feeds  Talos Security Intelligence  AMP Threat Grid Intelligence  AMP Threat Grid Dynamic Analysis 10 million files/month  Advanced Microsoft and Industry Disclosures  Snort and ClamAV Open Source Communities  AEGIS Program Web WWW Endpoints Devices Networks Email IPS Automatic updates in real time!! (Used to be 3-5min) 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100 1001 1101 1110011 0110011 101000 0110 00 Cisco® Collective Security Intelligence Cisco Collective Security Intelligence Cloud AMP Advanced Malware Protection
AMP Advanced Malware Protection
Threat Intelligence and Analytics with Point-in-Time protection with Continuous Analysis and Retrospective Security with 2. Control 1. Visibility See Prevent Before an attack Detect Block and Contain During an attack Record, Analyze, Detect Remediate After an attack Visibility and Control Across the Full Attack Continuum
Plan A & Plan B Point-in-Time Detection and Retrospective Security
Unique to Cisco® AMP Cisco AMP Delivers: Point-in-Time Protection File Reputation, Sandboxing, and Behavioral Detection Retrospective Security Continuous Analysis
PIT Detection - The Seven Features Continuous Protection Reputation Filtering Behavioral Detection Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Behavioral Detection Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Is Built On Three Features Unknown file is encountered, signature is analyzed, sent to cloud 1 File is not known to be malicious and is admitted 2 Unknown file is encountered, signature is analyzed, sent to cloud 3 File signature is known to be malicious and is prevented from entering the system 4 Collective Security Intelligence Cloud Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Is Built On Three Features Collective Security Intelligence Cloud Fingerprint of file is analyzed and determined to be malicious 1 Malicious file is not allowed entry 2 Polymorphic form of the same file tries to enter the system 3 The fingerprints of the two files are compared and found to be similar to one another 4 Polymorphic malware is denied entry based on its similarity to known malware 5 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics ne-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Is Built On Three Features Collective Security Intelligence Cloud Machine Learning Decision Tree Possible clean file Possible malware Confirmed malware Confirmed clean file Confirmed clean file Confirmed malware Metadata of unknown file is sent to the cloud to be analyzed 1 Metadata is recognized as possible malware 2 File is compared to known malware and is confirmed as malware 3 Metadata of a second unknown file is sent to cloud to be analyzed 4 Metadata is similar to known clean file, possibly clean 5 File is confirmed as a clean file after being compared to a similarly clean file 6 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Dynamic Analysis Machine Learning Fuzzy ger-printing Advanced Analytics Indications of Compromise Device Flow Correlation Behavioral Detection Is Built On Four Features Collective Security Intelligence Cloud File of unknown disposition is encountered 1 File replicates itself and this information is communicated to the cloud 2 File communicates with malicious IP addresses or starts downloading files with known malware disposition 3 Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client 4 These indications are prioritized and reported to security team as possible compromise 5 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Dynamic Analysis achine earning Advanced Analytics Indications of Compromise Device Flow Correlation Behavioral Detection Is Built On Four Features Collective Security Intelligence Cloud Collective User Base AMP Threat Grid Sandbox Dynamic Analysis Engine executes unknown files in on-premises or cloud sandboxes powered by Cisco® AMP Threat Grid 1 Two files are determined to be malware, one is confirmed as clean 2 Intelligence Cloud is updated with analysis results, and retrospective alerts are broadcast to users 3 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Retrospective Security To be effective, you have to be everywhere Continuously Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Why Continuous Protection Is Necessary Context Enforcement Continuous Analysis Who What Where When How Event History Collective Security Intelligence Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
Cisco AMP Defends With Retrospective Security Trajectory Behavioral Indications of Compromise Elastic Search Continuous Analysis Attack Chain Weaving Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
How Cisco AMP Works?
“File Trajectory”- What systems were affected? • Visibility centered on a given file • What systems are potentially infected? • Who was the first ("Patient 0”)? • What was the point of entry? • When?
How Cisco AMP Works: Network File Trajectory Use Case
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
The Cisco® Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
At the same time, a device with the AMP for Endpoints connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
Eight hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
AMP File Rules Store files? Criteria Application Protocol: Action:
AMP for Endpoint
AMP for Endpoint
Protection Framework 1-to-1 Signatures Generic Signatures Machine Learning IOCs & CVEs Dynamic Analysis Advanced Analytics Device Flow Correlation
When Malware Strikes, Have Answers Where did it come from? Who else is infected? What is it doing? How do I stop it? Device Trajectory File Trajectory
And Solutions : Outbreak Control Multiple ways to stop threats and eliminate root causes Simple Custom Detections Advanced Custom Signatures Application Blocking Lists Custom White Lists Fast & Specific Families Of Malware Group Policy Control Trusted Apps & Images Device Flow Correlation / IP Blacklists Stop Connections to Bad Sites Simple and specific controls OR Context rich signatures for broader control Cloud & Client Based
AMP for Endpoint – Detection is “Table Stakes”
AMP for Endpoint – “Before” an IOC
AMP for Endpoint - “Before” an IOC
AMP for Endpoint - “Before” an IOC
AMP for Endpoint - “Before” an IOC
AMP for Endpoint - “Before” an IOC
AMP for Endpoint – “During” - Remediate ZeroAccess Variant
AMP for Endpoint – Remediate old version of Java JRE
AMP for Endpoint – “After” the Malware drops…
AMP for Endpoint – “After” the Malware drops…
AMP for Endpoint – “After” the Malware drops…
AMP for Endpoint – “After” the Malware drops…
AMP for Endpoint – “After” the Malware drops…
• Windows • XP SP3 + • Vista SP2 + • Windows 7 • Windows 8 & 8.1 • Windows Server 2003 • Windows Server 2008 • Windows Server 2012 • Windows 10 • Linux* • Centos 6.4 • Centos 6.5 • Centos 6.6 • RHEL 6.5 • RHEL 6.6 *Public Cloud Only • Mac • OSX 10.7 – Lion • OSX 10.8 – Mountain Lion • OSX 10.9 – Mavericks • OSX 10.10 – Yosemite • OSX 10.11 – El Captain • Android* • Android 2.1 - Éclair • Android 2.2 - Froyo • Android 2.3 - Gingerbread • Android 3.0 - Honeycomb • Android 4.0 - Ice Cream Sandwich • Android 4.1 - 4.3 - Jelly Bean • Android 4.4 - KitKat • Android 5.0 - 5.1 - Lollipop
A4E Connector Deployment Options Download & Redistribute • Download connector package and redistribute • SCCM • Altiris • GPO E-Mail Link for download directly from AMP Cloud Cisco Anyconnect client – AMP Enabler
Deployment Options
The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense AMP Threat Intelligence Cloud Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for servers and datacenters AMP on Web and Email Security Appliances AMP on Cisco® NGFW Firewalls AMP Private Cloud Virtual Appliance AMP for Networks (AMP on Firepower NGIPS Appliance bundle) AMP on Cloud Web Security and Hosted Email CWS/CTA Threat Grid Malware Analysis + Threat Intelligence Engine AMP on ISR with Firepower Services AMP for Endpoints AMP for Endpoints Remote Endpoints AMP for Endpoints can be launched from AnyConnect
Deployment Options in Detail AMP on ESA, WSA, ASA, CWS AMP for Networks (AMP on FirePOWER Network Appliance) AMP for Endpoints AMP Private Cloud Virtual Appliance License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight connector on endpoints Deploy on-premises Virtual Appliance New or existing Cisco CWS, Email/Web Security, ASA customers FirePOWER NGIPS customers Windows, Mac, Android, Linux, virtual machines; can also deploy from AnyConnect client High-Privacy Environments  ESA/WSA: Prime visibility into email/web  CWS: web and advanced malware protection in a cloud- delivered service  AMP capabilities on ASA with FirePOWER Services  Wide visibility inside network  Broad selection of features- before, during, and after an attack  Comprehensive threat protection and response  Granular visibility and control  Widest selection of AMP features  Private Cloud option for those with high-privacy requirements  Can deploy full air-gapped mode or cloud proxy mode  For endpoints and networks Hybrid or on-premises integration Cloud integration in November 2015; on-premises integration in 1H 2016 Integrated into file analysis feature Integration coming in 1H 2016 Private Deployment options Method Ideal for Details Threat Grid
Threat Grid
• Static and Dynamic Analysis • Sandboxing is only part of it • Cloud based SaaS or Appliance • Quickly answer Why something is bad • Where it was communicating to • If it has been seen before • Edge to Endpoint with Cisco security solutions • OEM integrations • API for 3rd party integrations Automated Analysis Context Rich Analytics Seamless Integration What is AMP Threat Grid? Industry’s 1st Unified Malware Analysis and Threat Intelligence Solution
Introducing: Threat Grid Everywhere Suspicious File Analysis Report Edge Endpoints ASA w/ FIREPOWER Services ESA CTA WSA AMP for Endpoints AMP for Network Partner Integration S E C U R I T Y Security Monitoring Platforms Deep Packet Inspection Gov, Risk, Compliance SIEM Dynamic Analysis Static Analysis Threat Intelligence AMP Threat Grid Cisco Security Solutions Non-Cisco Security Solutions Suspicious File Premium Content Feeds Security Teams
Summary
These applications are affected What The breach affected these areas Where This is the scope of exposure over time When Here is the origin and progression of the threat How Focus on these users first Who Cisco AMP = Contextual Awareness + Visibility
Summary: AMP! • We see what others can’t – Unmatched visibility. • CSI Intelligence – Zero Day Threats Protection. • BDA Security Model - Not only a point-in-time solution. • AMP Deployment – AMP Everywhere, meaning flexibility.
AMP Assets to Learn More AMP Webpages www.cisco.com/go/amp www.cisco.com/go/ampsolution www.cisco.com/go/ampendpoint www.cisco.com/go/ampnetwork www.cisco.com/go/ampprivatecloud www.cisco.com/go/amptg • Cloud deployment • On-premises deployment AMP Solution Overview Videos AMP for Endpoints Overview Video AMP for Networks Overview Video Cisco Executive Perspectives on Security AMP Threat Grid Overview Video AMP Overview in 4 Minutes: Meet Tom, the IT Security Guy John Chambers on Cisco Security and AMP Demos 5-minute AMP Demo, with Threat Grid integration AMP Threat Grid for Incident Response AMP and Threat Grid Full Demo on Techwise TV June 2015 AMP Threat Grid: Portal overview and API demo Customer Testimonials Playlist of all Customer Testimonials on AMP First Financial Bank SHSU.uses AMP for Endpoints Center for Internet Security uses AMP Threat Grid
AMP Assets to Learn More Data Sheets, At-a-Glances, Infographic, Whitepapers AMP Solution Overview AMP for Networks: Data Sheet | AAG AMP for Endpoints: Data Sheet | AAG AMP Private Cloud: Data Sheet Security Everywhere Whitepaper (direct link) AMP Threat Grid Solution Overview AMP Threat Grid - Appliance: Data Sheet | AAG AMP Threat Grid - Cloud: Data Sheet Continuous Endpoint Protection in a Point-in-Time World Third Party Validation Gartner Video-on-Demand: Strategies to Combat Advanced Threats featuring Cisco AMP 2015 NSS Labs Breach Detection Test Results
AMP_Security_ Malware Protection Presentatiion

Recommended

Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networksCisco Canada
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-EraJK Tech
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 

Recommended

Cisco amp for networks
Cisco amp for networksCisco amp for networks
Cisco amp for networksCisco Canada
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-EraJK Tech
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomwareAvecto
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhereCisco Canada
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunk
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunk
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for SecurityGabrielle Knowles
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban PrósperoClusterCba
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack SurfaceHow to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack SurfaceSparkCognition
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Advanced Threat Defense Intel Security
Advanced Threat Defense Intel SecurityAdvanced Threat Defense Intel Security
Advanced Threat Defense Intel Securityxband
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013 Комсс Файквэе
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

More Related Content

Similar to AMP_Security_ Malware Protection Presentatiion

Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomwareAvecto
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhereCisco Canada
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunk
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunk
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban PrósperoClusterCba
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack SurfaceHow to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack SurfaceSparkCognition
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Advanced Threat Defense Intel Security
Advanced Threat Defense Intel SecurityAdvanced Threat Defense Intel Security
Advanced Threat Defense Intel Securityxband
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 

Similar to AMP_Security_ Malware Protection Presentatiion (20)

Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomware
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhere
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban Próspero
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack SurfaceHow to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Advanced Threat Defense Intel Security
Advanced Threat Defense Intel SecurityAdvanced Threat Defense Intel Security
Advanced Threat Defense Intel Security
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

AMP_Security_ Malware Protection Presentatiion

  • 1. Cisco Advanced Malware Protection Executive – Security & Availability Solutions September 2016
  • 2. • The Threat Landscape • The New Security Model • Talos & CSI – Collective Security Intelligence • Advanced Malware Protection (AMP) • Plan A & Plan B • AMP for Network Example Agenda • AMP for Endpoint • AMP for Content • Deployment Option • AMP Threat Grid • Summary
  • 4. Malware Will Get Into Your Environment Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute. 60% of data stolen in hours 65% of organizations say attacks evaded existing preventative security tools $5.9M Average cost of a breach in the United States
  • 5. Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute. Once Inside, Organizations Struggle to Deal with It 33% of organizations take 2+ years to discover breach 55% of organizations unable to determine cause of a breach 45 days Average time to resolve a cyber-attack 54% of breaches remain undiscovered for months
  • 6. Viruses 1990-2000 Worms 2000-2005 Spyware and Rootkits 2005-Today APTs Cyberware Today + 1990 1995 2000 2005 2010 2015 2020 Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape of large companies targeted by malicious traffic 95% of organizations interacted with websites hosting malware % 100  Cybercrime is lucrative, barrier to entry is low  Hackers are smarter and have the resources to compromise your organization  Malware is more sophisticated  Organizations face tens of thousands of new malware samples per hour The Reality Organizations Are Under Attack and Malware Is Getting in
  • 7. What would you do differently if you KNEW you were going to be compromised?
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 John Chambers Chairman, Cisco “Our AMP portfolio is the core differentiation we have as a company.” Security is Cisco’s #1 priority $B’s Invested in Advanced Security acquisitions: Adv. Threat Detection Security Analytics Malware Analysis / Threat Intel Security Advisory / Response Cloud-based DNS Security Context-Aware Security Analytics
  • 10. Why we need a new approach? Gaps In Protection! vs   Fragmented offerings across multiple vendors Streamlined advanced security solution Cost Lower opex and easier to manage Higher total cost to build and run Overall performance Less communication between components Better communication and integration Time to detection Faster time to detection More lag in finding threats
  • 11. • Malware no longer infects as individual files • The initial virus is often bespoke – custom written for a single attack campaign - Polymorphism • Once the infection has taken place, more unique malware is downloaded and the cycle is repeated. • The bad-guys are clever, resourceful and well motivated Why has point-in-time detection failed? Sandboxing is Not a Silver Bullet • Sandboxing is an excellent informational engine, but stumbles as a protection mechanism • Can only detect threats which act in a suspicious manner quickly • Cannot assess danger until the damage has been done. • Can easily be overwhelmed
  • 12. Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Initial Disposition = Clean Cisco AMP Blind to scope of compromise Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Blocked Retrospective Detection, Analysis Continues Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No Visibility Into Threats Once They Get in
  • 13. Continuously Rapidly + • Prevention • Detection • Containment • Remediation Breach
  • 14. Visibility and Context The New Security Model ASA FirePOWER/ Meraki MX Cisco ISE NGIPS WSA/CWS ESA/CES ThreatGrid BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Attack Continuum Detect Block Defend DURING Advanced Malware Protection Cyber Threat Defense
  • 15. TALOS
  • 17. Threat Intelligence and Advanced Analytics The Numbers  1.6 million global sensors  100 TB of data received per day  150 million+ deployed endpoints  Experienced team of engineers, technicians, and researchers  35% worldwide email traffic  13 billion web requests  24x7x365 operations  4.3 billion web blocks per day  40+ languages  1.1 million incoming malware samples per day  AMP Community  Private/Public Threat Feeds  Talos Security Intelligence  AMP Threat Grid Intelligence  AMP Threat Grid Dynamic Analysis 10 million files/month  Advanced Microsoft and Industry Disclosures  Snort and ClamAV Open Source Communities  AEGIS Program Web WWW Endpoints Devices Networks Email IPS Automatic updates in real time!! (Used to be 3-5min) 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100 1001 1101 1110011 0110011 101000 0110 00 Cisco® Collective Security Intelligence Cisco Collective Security Intelligence Cloud AMP Advanced Malware Protection
  • 18. AMP Advanced Malware Protection
  • 19. Threat Intelligence and Analytics with Point-in-Time protection with Continuous Analysis and Retrospective Security with 2. Control 1. Visibility See Prevent Before an attack Detect Block and Contain During an attack Record, Analyze, Detect Remediate After an attack Visibility and Control Across the Full Attack Continuum
  • 20. Plan A & Plan B Point-in-Time Detection and Retrospective Security
  • 21. Unique to Cisco® AMP Cisco AMP Delivers: Point-in-Time Protection File Reputation, Sandboxing, and Behavioral Detection Retrospective Security Continuous Analysis
  • 22. PIT Detection - The Seven Features Continuous Protection Reputation Filtering Behavioral Detection Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 23. Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Behavioral Detection Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Is Built On Three Features Unknown file is encountered, signature is analyzed, sent to cloud 1 File is not known to be malicious and is admitted 2 Unknown file is encountered, signature is analyzed, sent to cloud 3 File signature is known to be malicious and is prevented from entering the system 4 Collective Security Intelligence Cloud Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 24. Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Is Built On Three Features Collective Security Intelligence Cloud Fingerprint of file is analyzed and determined to be malicious 1 Malicious file is not allowed entry 2 Polymorphic form of the same file tries to enter the system 3 The fingerprints of the two files are compared and found to be similar to one another 4 Polymorphic malware is denied entry based on its similarity to known malware 5 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 25. Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics ne-to-One Signature Indications of Compromise Device Flow Correlation Reputation Filtering Is Built On Three Features Collective Security Intelligence Cloud Machine Learning Decision Tree Possible clean file Possible malware Confirmed malware Confirmed clean file Confirmed clean file Confirmed malware Metadata of unknown file is sent to the cloud to be analyzed 1 Metadata is recognized as possible malware 2 File is compared to known malware and is confirmed as malware 3 Metadata of a second unknown file is sent to cloud to be analyzed 4 Metadata is similar to known clean file, possibly clean 5 File is confirmed as a clean file after being compared to a similarly clean file 6 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 26. Dynamic Analysis Machine Learning Fuzzy ger-printing Advanced Analytics Indications of Compromise Device Flow Correlation Behavioral Detection Is Built On Four Features Collective Security Intelligence Cloud File of unknown disposition is encountered 1 File replicates itself and this information is communicated to the cloud 2 File communicates with malicious IP addresses or starts downloading files with known malware disposition 3 Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client 4 These indications are prioritized and reported to security team as possible compromise 5 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 27. Dynamic Analysis achine earning Advanced Analytics Indications of Compromise Device Flow Correlation Behavioral Detection Is Built On Four Features Collective Security Intelligence Cloud Collective User Base AMP Threat Grid Sandbox Dynamic Analysis Engine executes unknown files in on-premises or cloud sandboxes powered by Cisco® AMP Threat Grid 1 Two files are determined to be malware, one is confirmed as clean 2 Intelligence Cloud is updated with analysis results, and retrospective alerts are broadcast to users 3 Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 28. Retrospective Security To be effective, you have to be everywhere Continuously Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 29. Why Continuous Protection Is Necessary Context Enforcement Continuous Analysis Who What Where When How Event History Collective Security Intelligence Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 30. Cisco AMP Defends With Retrospective Security Trajectory Behavioral Indications of Compromise Elastic Search Continuous Analysis Attack Chain Weaving Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence
  • 31. How Cisco AMP Works?
  • 32. “File Trajectory”- What systems were affected? • Visibility centered on a given file • What systems are potentially infected? • Who was the first ("Patient 0”)? • What was the point of entry? • When?
  • 33. How Cisco AMP Works: Network File Trajectory Use Case
  • 34.
  • 35. An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
  • 36. At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
  • 37. Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
  • 38. The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
  • 39. The Cisco® Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
  • 40. At the same time, a device with the AMP for Endpoints connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
  • 41. Eight hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
  • 42. AMP File Rules Store files? Criteria Application Protocol: Action:
  • 46. When Malware Strikes, Have Answers Where did it come from? Who else is infected? What is it doing? How do I stop it? Device Trajectory File Trajectory
  • 47. And Solutions : Outbreak Control Multiple ways to stop threats and eliminate root causes Simple Custom Detections Advanced Custom Signatures Application Blocking Lists Custom White Lists Fast & Specific Families Of Malware Group Policy Control Trusted Apps & Images Device Flow Correlation / IP Blacklists Stop Connections to Bad Sites Simple and specific controls OR Context rich signatures for broader control Cloud & Client Based
  • 48. AMP for Endpoint – Detection is “Table Stakes”
  • 49. AMP for Endpoint – “Before” an IOC
  • 50. AMP for Endpoint - “Before” an IOC
  • 51. AMP for Endpoint - “Before” an IOC
  • 52. AMP for Endpoint - “Before” an IOC
  • 53. AMP for Endpoint - “Before” an IOC
  • 54. AMP for Endpoint – “During” - Remediate ZeroAccess Variant
  • 55. AMP for Endpoint – Remediate old version of Java JRE
  • 56. AMP for Endpoint – “After” the Malware drops…
  • 57. AMP for Endpoint – “After” the Malware drops…
  • 58. AMP for Endpoint – “After” the Malware drops…
  • 59. AMP for Endpoint – “After” the Malware drops…
  • 60. AMP for Endpoint – “After” the Malware drops…
  • 61. • Windows • XP SP3 + • Vista SP2 + • Windows 7 • Windows 8 & 8.1 • Windows Server 2003 • Windows Server 2008 • Windows Server 2012 • Windows 10 • Linux* • Centos 6.4 • Centos 6.5 • Centos 6.6 • RHEL 6.5 • RHEL 6.6 *Public Cloud Only • Mac • OSX 10.7 – Lion • OSX 10.8 – Mountain Lion • OSX 10.9 – Mavericks • OSX 10.10 – Yosemite • OSX 10.11 – El Captain • Android* • Android 2.1 - Éclair • Android 2.2 - Froyo • Android 2.3 - Gingerbread • Android 3.0 - Honeycomb • Android 4.0 - Ice Cream Sandwich • Android 4.1 - 4.3 - Jelly Bean • Android 4.4 - KitKat • Android 5.0 - 5.1 - Lollipop
  • 62. A4E Connector Deployment Options Download & Redistribute • Download connector package and redistribute • SCCM • Altiris • GPO E-Mail Link for download directly from AMP Cloud Cisco Anyconnect client – AMP Enabler
  • 64. The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense AMP Threat Intelligence Cloud Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for servers and datacenters AMP on Web and Email Security Appliances AMP on Cisco® NGFW Firewalls AMP Private Cloud Virtual Appliance AMP for Networks (AMP on Firepower NGIPS Appliance bundle) AMP on Cloud Web Security and Hosted Email CWS/CTA Threat Grid Malware Analysis + Threat Intelligence Engine AMP on ISR with Firepower Services AMP for Endpoints AMP for Endpoints Remote Endpoints AMP for Endpoints can be launched from AnyConnect
  • 65. Deployment Options in Detail AMP on ESA, WSA, ASA, CWS AMP for Networks (AMP on FirePOWER Network Appliance) AMP for Endpoints AMP Private Cloud Virtual Appliance License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight connector on endpoints Deploy on-premises Virtual Appliance New or existing Cisco CWS, Email/Web Security, ASA customers FirePOWER NGIPS customers Windows, Mac, Android, Linux, virtual machines; can also deploy from AnyConnect client High-Privacy Environments  ESA/WSA: Prime visibility into email/web  CWS: web and advanced malware protection in a cloud- delivered service  AMP capabilities on ASA with FirePOWER Services  Wide visibility inside network  Broad selection of features- before, during, and after an attack  Comprehensive threat protection and response  Granular visibility and control  Widest selection of AMP features  Private Cloud option for those with high-privacy requirements  Can deploy full air-gapped mode or cloud proxy mode  For endpoints and networks Hybrid or on-premises integration Cloud integration in November 2015; on-premises integration in 1H 2016 Integrated into file analysis feature Integration coming in 1H 2016 Private Deployment options Method Ideal for Details Threat Grid
  • 67. • Static and Dynamic Analysis • Sandboxing is only part of it • Cloud based SaaS or Appliance • Quickly answer Why something is bad • Where it was communicating to • If it has been seen before • Edge to Endpoint with Cisco security solutions • OEM integrations • API for 3rd party integrations Automated Analysis Context Rich Analytics Seamless Integration What is AMP Threat Grid? Industry’s 1st Unified Malware Analysis and Threat Intelligence Solution
  • 68. Introducing: Threat Grid Everywhere Suspicious File Analysis Report Edge Endpoints ASA w/ FIREPOWER Services ESA CTA WSA AMP for Endpoints AMP for Network Partner Integration S E C U R I T Y Security Monitoring Platforms Deep Packet Inspection Gov, Risk, Compliance SIEM Dynamic Analysis Static Analysis Threat Intelligence AMP Threat Grid Cisco Security Solutions Non-Cisco Security Solutions Suspicious File Premium Content Feeds Security Teams
  • 70. These applications are affected What The breach affected these areas Where This is the scope of exposure over time When Here is the origin and progression of the threat How Focus on these users first Who Cisco AMP = Contextual Awareness + Visibility
  • 71. Summary: AMP! • We see what others can’t – Unmatched visibility. • CSI Intelligence – Zero Day Threats Protection. • BDA Security Model - Not only a point-in-time solution. • AMP Deployment – AMP Everywhere, meaning flexibility.
  • 72. AMP Assets to Learn More AMP Webpages www.cisco.com/go/amp www.cisco.com/go/ampsolution www.cisco.com/go/ampendpoint www.cisco.com/go/ampnetwork www.cisco.com/go/ampprivatecloud www.cisco.com/go/amptg • Cloud deployment • On-premises deployment AMP Solution Overview Videos AMP for Endpoints Overview Video AMP for Networks Overview Video Cisco Executive Perspectives on Security AMP Threat Grid Overview Video AMP Overview in 4 Minutes: Meet Tom, the IT Security Guy John Chambers on Cisco Security and AMP Demos 5-minute AMP Demo, with Threat Grid integration AMP Threat Grid for Incident Response AMP and Threat Grid Full Demo on Techwise TV June 2015 AMP Threat Grid: Portal overview and API demo Customer Testimonials Playlist of all Customer Testimonials on AMP First Financial Bank SHSU.uses AMP for Endpoints Center for Internet Security uses AMP Threat Grid
  • 73. AMP Assets to Learn More Data Sheets, At-a-Glances, Infographic, Whitepapers AMP Solution Overview AMP for Networks: Data Sheet | AAG AMP for Endpoints: Data Sheet | AAG AMP Private Cloud: Data Sheet Security Everywhere Whitepaper (direct link) AMP Threat Grid Solution Overview AMP Threat Grid - Appliance: Data Sheet | AAG AMP Threat Grid - Cloud: Data Sheet Continuous Endpoint Protection in a Point-in-Time World Third Party Validation Gartner Video-on-Demand: Strategies to Combat Advanced Threats featuring Cisco AMP 2015 NSS Labs Breach Detection Test Results

Editor's Notes

  1. 22
  2. 23
  3. 24
  4. 25
  5. 26
  6. 27
  7. 28
  8. 29
  9. 30