My name is <your name> and I’m with Cisco. I’ve been here __ years. Thanks for taking the time to meet with me about Advanced Malware Protection
<click>
When it comes to today’s threats, technology addresses malware as a single detectable entity.
But in reality, today’s advanced malware is a criminal enterprise built on multiple pieces of software coordinating and working together.
The real problem is the multiple pieces of malware, and their relationships, are often hidden amongst all the file analysis and file detection that is going on point-in-time.
The real relationships that exist in these entities get lost in the noise of network traffic and can be easily missed by conventional point-in-time methods.
<click>
Comprehensive security requires three things, 1) Breach Protection, 2) Breach Detection and 3) Collective Intelligence.
<click>
First, we have to be able to stop the bad things we know about from getting into your environment. It’s a first line of defense and it’s the cornerstone of traditional security.
<click>
We also have to be able to find and fix the problems we already recognize and know how to remediate. We all know that detection isn’t 100% effective, there will always be infections. Because of this we have to have a method for detecting the things that get through point-in-time defense.
<click>
Finally, and most crucial for today’s advanced malware, comprehensive security must be able to find active compromises going on that are not known to be malware and would not be recognized by point in time engines. We must have the ability to find the things we don’t know about, even though they are already in our systems and we don’t know how to look for them.
<click>
In order to deliver against these three requirements effectively, it requires cloud back-heavy lifting.
There are multiple inputs that you’ll need to process in order to get the kind of intelligence and insight you need to deliver security effectively, for both point-in-time AND continuous monitoring capabilities.
Notice that this slide looks familiar from other vendors, but the numbers behind it are what allow Cisco to truly deliver this kind of protection.
Cisco is processing 35% of the world’s email traffic. With millions of sensors giving us input, we are able to mine that data for insight into vendor relationships and run reputations against it.
Combine that with intelligence from the Vulnerability Research Team, which is constantly being built by their relationships with all the big vendors – Microsoft, Adobe, and Apple, and consists of nearly 200,000 unique files that are processed and executed virtually every single day, to discover artifacts or indications of compromise that would otherwise go undetected.
The global network of honeypots and more, and the kind of intelligence that feeds through our research team, allows you to gain the capabilities that only we can deliver with continuous monitoring.
It’s all delivered through our cloud platform, call it the Collective Security Intelligence, which allows you to take advantage of IPS rule, firewall category, and all the other advanced analytics that we can push out across the protection continuum.
<click>
5
There are two types of protection that are essential for complete security: point-in-time and retrospection. The truth is you NEED both.
<click>
Consider point-in-time plan A. You’re going to spend time up front, targeting the assets of your environment and quantifying your areas of weakness.
You’ll use tools like vulnerability assessment and management tools, you’ll use patch management, VPN firewalls, things like that. Even IPS, those are tools that you use for the point-in-time detection piece.
Our point-in-time detection lattice is built on 7 features, providing both file reputation and behavioral detection. Lets take a look at each of these seven features.
<click>
7
8
9
10
11
12
13
14
There are two types of protection that are essential for complete security: point-in-time and retrospection. The truth is you NEED both.
<click>
Consider point-in-time plan A. You’re going to spend time up front, targeting the assets of your environment and quantifying your areas of weakness.
You’ll use tools like vulnerability assessment and management tools, you’ll use patch management, VPN firewalls, things like that. Even IPS, those are tools that you use for the point-in-time detection piece.
Our point-in-time detection lattice is built on 7 features, providing both file reputation and behavioral detection. Lets take a look at each of these seven features.
<click>
16
17
18
19
20
21
22
23
Building on the level of scope provided by file trajectory, Device Trajectory provides robust time window analysis into system processes to understand root cause history and lineage with the ability to expand or contract the time window and filter to quickly pinpoint the exact cause of compromise.
In the animation:
The unknown file is transferred to this particular device <click>
The files move around, executing different commands on the device <click>
Device Trajectory records those individual actions executed by that file on that particular device <click>
That data is leveraged to trace back the root of the infection and contribute to profiling different malware signatures <click>
25
26
Cisco’s Advanced Malware Protection solutions utilize big data analytics to continuously aggregate data and events across the extended network - networks, endpoints, mobile devices and virtual environments - to deliver visibility and control against malware and persistent threats across the full attack continuum – before, during and after an attack.
We leverage continuous analysis, and real-time security intelligence to deliver detection, tracking, analysis, and remediation to protect the enterprise against malware and targeted, persistent attacks:
As you may be familiar, we offer Advanced Malware Protection for Content, Networks and Endpoints:
Cisco’s AMP can be easily added on to existing web and email security appliances with the flip of a switch to give you retrospective security on your gateway
Cisco’s Advanced Malware Protection for FirePOWER can be an integrated software-enabled subscription added to any FirePOWER NGIPS or NGFW appliance or as a dedicated Advanced Malware Protection Appliance.
FireAMP offers Advanced Malware Protection for Endpoints, using the same big data analytics, protecting against malware for Windows-based systems, mobile devices in both physical and virtual environments.
<click>
IF MORE DETAIL NEEDED:
AMP for FirePOWER:
Detection and blocking of malware infected files attempting to enter or traverse the network
Continuous analysis and subsequent retrospective alerting of infected files in the event malware determination changes after initial analysis
Tracking of malware that has entered the network; identifying point of entry, propagation, protocols used, users and host affected
Correlation of malware related events with broader security events and contextual data to provide comprehensive picture of malicious activity
Identification and control of BYOD devices on the network
FireAMP
Malware blocking and continuous analysis
Defend endpoints and remote workers against sophisticated malware – from the point of entry through propagation, to post-infection remediation
Detection & blocking of malware, confirmation of infection, trace its path, analyze its behavior, remediate its targets and report on its impact
Tracking malware proliferation and activity
Indications of compromise
Root cause analysis
Outbreak control
Impact reporting
Each platform has slightly different functionality.
AMP for Content gives you the ability to:
Detect and block malware attempting to enter through email or web gateways
Receive extensive reporting, URL/Message tracking and remediation prioritization
Easily add-on to an existing appliance or in the cloud
AMP for Network lets you:
Identify point of entry, propagation, protocols used, users and host affected
Receive a comprehensive picture of malicious activity with contextual data
Control of BYOD devices on the network
AMP for Endpoint enables you to:
Find an infection, trace its path, analyze its behavior
Mitigate damage quickly and eliminate of the risk of reinfection
Locate indications of compromise at both the network and system level
<click>
In this screenshot you can see an example of the detailed reporting provided by AMP for Networks.
The Network platform uses indications of compromise, file analysis, and in this example, file trajectory to show how files move across systems to help in remediation.
<click>
This screenshot is from a Use Case that can be covered later in the deck.
In this screenshot you can see an example of the detailed reporting provided by AMP for Endpoint.
The Endpoint platform has device trajectory, elastic search and outbreak control which in this example, is shown quarantining recently detected malware on a device that has the FireAMP connector installed.
<click>
This screenshot is from a Use Case that can be covered later in the deck.
In this screenshot you can see an example of the reporting provided by AMP for Content which protects against web and email threats by issuing retrospective alerts known malware or websites where malicious reputations are detected.
<click>
Each deployment option offers extensive protection across its particular threat vector but since infections are designed to spread, protecting against one or two attack vectors is insufficient for today’s threats.
Deploying AMP across Content, Network and Endpoint is the best available means of complete environment protection, quarantine and remediation
<click>
33
<click>
This use case gives a great view of a file being introduced, retrospective events occurring, quarantining, and future events being blocked. This is a great illustration of the correlation between end-point and network data.
<click>
This is the actual program view, showing the path of a file across multiple devices. By hovering over an event you can see details like where the file came from originally, when was it downloaded, what type of even it is, the program name. All this information is just a mouse hover away.
<click>
Here we see the first event, a file with an unknown disposition is present on IP: 10.4.10.183
<click>
It enters the network by being transmitted from 10.4.10.183 to 10.5.11.8 and the file still has a disposition of unknown. We did not know it was bad. But we do know that it was introduced by a user using downloading this file over HTTP using the application Firefox a web-browser. That file then sat on 10.5.11.8.
<click>
After a period of inactivity, the file transmits down to machine 10.3.4.51 over SMB, the application protocol listed in the grey box. So it starts transmitting using internal Microsoft file-sharing protocols. This file has not yet been identified as malware and so its disposition is still unknown.
<click>
The file copies itself onto a fourth machine a half hour later using the same application protocol.
<click>
At 6:14, We see a retrospective event turn up. So it appears for 4 machines at the same time. Our disposition thus far has gone from something we think is unknown to now known malware. So we've alerted each of these four machines and the defense center, that malware has been found in the environment to enable the user to track how that file propagated the around the network and understand the scope of the breech.
<click>
This machine here, 10.5.11.8, we can see that it has the fire app, endpoint connector installed. We know this because immediately after that retrospective event was raised the endpoint quarantined file. So by having the connector on the endpoint you have the ability to clear up and remediate and quarantine that infection on the end-point near in real time
<click>
Later the file once again tried to move around the network. This time once again, by someone trying to send the file over HTTP using the application Firefox. This time, because the file is now known to be malware, this transmission was blocked.
<click>