2. • The Threat Landscape
• The New Security Model
• Talos & CSI – Collective Security
Intelligence
• Advanced Malware Protection (AMP)
• Plan A & Plan B
• AMP for Network Example
Agenda
• AMP for Endpoint
• AMP for Content
• Deployment Option
• AMP Threat Grid
• Summary
4. Malware Will Get Into Your Environment
Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute.
60%
of data stolen in hours
65%
of organizations say attacks
evaded existing preventative
security tools
$5.9M
Average cost of a breach in
the United States
5. Sources: 2014 Cisco Annual Security Report, 2014: A Year of Mega Breaches, Ponemon Institute, Cost of a Data Breach, 2013/2014, Ponemon Institute.
Once Inside, Organizations Struggle
to Deal with It
33%
of organizations take 2+
years to discover breach
55%
of organizations unable to
determine cause of a breach
45 days
Average time to resolve
a cyber-attack
54%
of breaches remain
undiscovered for months
6. Viruses
1990-2000
Worms
2000-2005
Spyware and Rootkits
2005-Today
APTs Cyberware
Today +
1990 1995 2000 2005 2010 2015 2020
Phishing, Low
Sophistication Hacking Becomes
an Industry Sophisticated Attacks,
Complex Landscape
of large companies
targeted by malicious traffic
95%
of organizations interacted
with websites hosting malware
%
100
Cybercrime is lucrative, barrier to entry is low
Hackers are smarter and have the resources to compromise your organization
Malware is more sophisticated
Organizations face tens of thousands of new malware samples per hour
The Reality
Organizations Are Under Attack and Malware Is Getting in
7. What would you do differently
if you KNEW you were going to be
compromised?
10. Why we need a new approach?
Gaps In Protection!
vs
Fragmented offerings
across multiple vendors
Streamlined advanced
security solution
Cost
Lower opex and easier
to manage
Higher total cost to
build and run
Overall performance
Less communication
between components
Better communication
and integration
Time to detection
Faster time to detection
More lag in
finding threats
11. • Malware no longer infects as individual files
• The initial virus is often bespoke – custom written
for a single attack campaign - Polymorphism
• Once the infection has taken place, more unique
malware is downloaded and the cycle is repeated.
• The bad-guys are clever, resourceful
and well motivated
Why has point-in-time detection failed?
Sandboxing is Not a Silver Bullet
• Sandboxing is an excellent informational
engine, but stumbles as a protection
mechanism
• Can only detect threats which act in a
suspicious manner quickly
• Cannot assess danger until the damage has
been done.
• Can easily be overwhelmed
12. Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Initial Disposition = Clean
Cisco AMP
Blind to scope
of compromise
Actual Disposition = Bad = Too Late!!
Turns back time
Visibility
and Control are Key
Not 100%
Analysis Stops
Sleep Techniques
Unknown
Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Blocked
Retrospective Detection,
Analysis Continues
Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No
Visibility Into Threats Once They Get in
14. Visibility and Context
The New Security Model
ASA
FirePOWER/
Meraki MX
Cisco ISE
NGIPS
WSA/CWS
ESA/CES ThreatGrid
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Advanced Malware Protection
Cyber Threat Defense
23. Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Reputation Filtering Behavioral Detection
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Reputation Filtering
Is Built On Three Features
Unknown file is encountered,
signature is analyzed, sent
to cloud
1
File is not known to be malicious
and is admitted
2
Unknown file is encountered,
signature is analyzed, sent
to cloud
3
File signature is known to be
malicious and is prevented from
entering the system
4
Collective Security
Intelligence Cloud
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
24. Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Reputation Filtering
Is Built On Three Features
Collective Security
Intelligence Cloud
Fingerprint of file is analyzed
and determined to be malicious
1
Malicious file is not allowed entry
2
Polymorphic form of the same file
tries to enter the system
3
The fingerprints of the two files are
compared and found to be similar
to one another
4
Polymorphic malware is denied
entry based on its similarity to
known malware
5
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
25. Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
ne-to-One
Signature
Indications
of Compromise
Device Flow
Correlation
Reputation Filtering
Is Built On Three Features
Collective Security
Intelligence Cloud
Machine Learning Decision Tree
Possible
clean file
Possible
malware
Confirmed
malware
Confirmed
clean file
Confirmed
clean file
Confirmed
malware
Metadata of unknown file is sent
to the cloud to be analyzed
1
Metadata is recognized as
possible malware
2
File is compared to known
malware and is confirmed
as malware
3
Metadata of a second unknown
file is sent to cloud to
be analyzed
4
Metadata is similar to known
clean file, possibly clean
5
File is confirmed as a clean file
after being compared to a
similarly clean file
6
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
26. Dynamic
Analysis
Machine
Learning
Fuzzy
ger-printing
Advanced
Analytics
Indications
of Compromise
Device Flow
Correlation
Behavioral Detection
Is Built On Four Features
Collective Security
Intelligence Cloud
File of unknown disposition
is encountered
1
File replicates itself and this
information is communicated to
the cloud
2
File communicates with malicious
IP addresses or starts
downloading files with known
malware disposition
3
Combination of activities indicates
a compromise and the behavior is
reported to the cloud and
AMP client
4
These indications are prioritized
and reported to security team as
possible compromise
5
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
27. Dynamic
Analysis
achine
earning
Advanced
Analytics
Indications
of Compromise
Device Flow
Correlation
Behavioral Detection
Is Built On Four Features
Collective Security
Intelligence Cloud
Collective
User Base
AMP Threat Grid Sandbox
Dynamic Analysis Engine
executes unknown files in
on-premises or cloud
sandboxes powered by
Cisco® AMP Threat Grid
1
Two files are determined to
be malware, one is
confirmed as clean
2
Intelligence Cloud is
updated with analysis
results, and retrospective
alerts are broadcast to users
3
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
28. Retrospective Security
To be effective, you have to be everywhere
Continuously
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
29. Why Continuous Protection
Is Necessary
Context Enforcement Continuous Analysis
Who What
Where When
How
Event History
Collective Security
Intelligence
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
32. “File Trajectory”- What systems were affected?
• Visibility centered on a given file
• What systems are potentially infected?
• Who was the first ("Patient 0”)?
• What was the point of entry?
• When?
33. How Cisco AMP Works:
Network File Trajectory Use Case
34.
35. An unknown file is present on
IP: 10.4.10.183, having been
downloaded from Firefox
36. At 10:57, the unknown file is from
IP 10.4.10.183 to IP: 10.5.11.8
37. Seven hours later the file is then
transferred to a third device
(10.3.4.51) using an
SMB application
38. The file is copied yet again onto a
fourth device (10.5.60.66) through
the same SMB application a half
hour later
39. The Cisco® Collective Security
Intelligence Cloud has learned this
file is malicious and a retrospective
event is raised for all four
devices immediately.
40. At the same time, a device with the
AMP for Endpoints connector
reacts to the retrospective event
and immediately stops and
quarantines the newly
detected malware
41. Eight hours after the first attack, the
Malware tries to re-enter the system
through the original point of entry
but is recognized and blocked.
46. When Malware Strikes, Have Answers
Where did it come
from?
Who else is
infected?
What is it doing? How do I stop it?
Device Trajectory File Trajectory
47. And Solutions : Outbreak Control
Multiple ways to stop threats and eliminate root causes
Simple
Custom
Detections
Advanced
Custom
Signatures
Application
Blocking
Lists
Custom
White
Lists
Fast
&
Specific
Families
Of
Malware
Group
Policy
Control
Trusted
Apps &
Images
Device Flow
Correlation /
IP Blacklists
Stop
Connections
to Bad Sites
Simple and specific controls OR Context rich signatures for broader control
Cloud & Client Based
64. The AMP Everywhere
Architecture
AMP Protection Across the Extended Network
for an Integrated Threat Defense
AMP
Threat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OS
CentOS, Red Hat
Linux for servers
and datacenters
AMP on Web and Email
Security Appliances
AMP on Cisco® NGFW
Firewalls
AMP Private Cloud
Virtual Appliance
AMP for Networks
(AMP on Firepower NGIPS
Appliance bundle)
AMP on Cloud Web Security
and Hosted Email
CWS/CTA
Threat Grid
Malware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower
Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be
launched from AnyConnect
65. Deployment Options in Detail
AMP on
ESA, WSA, ASA, CWS
AMP for Networks
(AMP on FirePOWER
Network Appliance)
AMP for
Endpoints
AMP
Private Cloud
Virtual Appliance
License with ESA, WSA, CWS,
or ASA customers
Snap into your network
Install lightweight connector
on endpoints
Deploy on-premises
Virtual Appliance
New or existing Cisco
CWS, Email/Web Security,
ASA customers
FirePOWER NGIPS customers
Windows, Mac, Android, Linux,
virtual machines; can also deploy
from AnyConnect client
High-Privacy Environments
ESA/WSA: Prime visibility into
email/web
CWS: web and advanced
malware protection in a cloud-
delivered service
AMP capabilities on ASA with
FirePOWER Services
Wide visibility inside network
Broad selection of features-
before, during, and after
an attack
Comprehensive threat
protection and response
Granular visibility and control
Widest selection of
AMP features
Private Cloud option for
those with high-privacy
requirements
Can deploy full air-gapped
mode or cloud proxy mode
For endpoints and networks
Hybrid or on-premises integration
Cloud integration in November
2015; on-premises integration in
1H 2016
Integrated into file
analysis feature
Integration coming in 1H 2016
Private
Deployment
options
Method
Ideal for
Details
Threat Grid
67. • Static and Dynamic
Analysis
• Sandboxing is only
part of it
• Cloud based SaaS
or Appliance
• Quickly answer Why
something is bad
• Where it was
communicating to
• If it has been seen
before
• Edge to Endpoint
with Cisco security
solutions
• OEM integrations
• API for 3rd party
integrations
Automated Analysis Context Rich Analytics Seamless Integration
What is AMP Threat Grid?
Industry’s 1st Unified Malware Analysis and Threat Intelligence Solution
68. Introducing: Threat Grid Everywhere
Suspicious
File
Analysis
Report
Edge
Endpoints
ASA w/
FIREPOWER
Services
ESA
CTA
WSA
AMP for
Endpoints
AMP
for Network
Partner
Integration
S E C U R I T Y
Security
Monitoring
Platforms
Deep Packet
Inspection
Gov, Risk,
Compliance
SIEM
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Cisco Security Solutions Non-Cisco Security Solutions
Suspicious
File
Premium
Content Feeds
Security Teams
70. These applications
are affected
What
The breach affected
these areas
Where
This is the scope of
exposure over time
When
Here is the origin and
progression of
the threat
How
Focus on these
users first
Who
Cisco AMP = Contextual Awareness + Visibility
71. Summary: AMP!
• We see what others can’t – Unmatched visibility.
• CSI Intelligence – Zero Day Threats Protection.
• BDA Security Model - Not only a point-in-time solution.
• AMP Deployment – AMP Everywhere, meaning flexibility.
72. AMP Assets to Learn More
AMP Webpages
www.cisco.com/go/amp
www.cisco.com/go/ampsolution
www.cisco.com/go/ampendpoint
www.cisco.com/go/ampnetwork
www.cisco.com/go/ampprivatecloud
www.cisco.com/go/amptg
• Cloud deployment
• On-premises deployment
AMP Solution Overview Videos
AMP for Endpoints Overview Video
AMP for Networks Overview Video
Cisco Executive Perspectives on Security
AMP Threat Grid Overview Video
AMP Overview in 4 Minutes: Meet Tom, the IT
Security Guy
John Chambers on Cisco Security and AMP
Demos
5-minute AMP Demo, with Threat
Grid integration
AMP Threat Grid for Incident Response
AMP and Threat Grid Full Demo on Techwise TV
June 2015
AMP Threat Grid: Portal overview and API demo
Customer Testimonials
Playlist of all Customer Testimonials on AMP
First Financial Bank
SHSU.uses AMP for Endpoints
Center for Internet Security uses AMP
Threat Grid
73. AMP Assets to Learn More
Data Sheets, At-a-Glances, Infographic, Whitepapers
AMP Solution Overview
AMP for Networks: Data Sheet | AAG
AMP for Endpoints: Data Sheet | AAG
AMP Private Cloud: Data Sheet
Security Everywhere Whitepaper (direct link)
AMP Threat Grid Solution Overview
AMP Threat Grid - Appliance: Data Sheet | AAG
AMP Threat Grid - Cloud: Data Sheet
Continuous Endpoint Protection in a
Point-in-Time World
Third Party Validation
Gartner Video-on-Demand: Strategies to Combat Advanced Threats featuring Cisco AMP
2015 NSS Labs Breach Detection Test Results