Cisco Advanced Malware Protection uses a combination of techniques including signatures, machine learning, dynamic analysis, and behavioral analytics to both prevent known threats and detect previously unknown threats retrospectively. It provides security for networks, endpoints, and mobile devices through a cloud-based platform that shares threat intelligence between Cisco and its customers.
TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd
Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off.
Watch the workshop replay: http://bit.ly/2bPT1ax
Watch the Video: http://bit.ly/2c60obv
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
This session will focus on typical deployment scenarios for the Adaptive Security Appliance family running FirePower Services. Also, a feature overview and comparison of the ASA with Firepower services and the new Firepower Threat Defense (FTD) image will be included with updates on the new Firepower hardware platform. Deployment use cases will include Internet Edge, various segmentation scenarios, and VPN. A configuration walk-through and accepted best practices will be covered. This session is designed for existing ASA customers and targets the security and network engineer. They will learn the benefit of a FirePower NGFW in network edge and Internet use cases
Hope you did not miss our deep dive: Cisco APIC-EM: IT Speed and Simplicity Through Automation
Ronnie Ray walked through Cisco's purpose-built enterprise controller. Purpose build to help you move to software-defined networking (SDN) that works both on existing networks and on new infrastructure.
Watch and Listen to the workshop replay at cs.co/6017Bl8Kb
(check out the Digital Network Architecture episodes Part 1 and 2 at http://www.techwisetv.com)
You will learn how Cisco engineers created the world’s best network automation controller, which provides enterprise resiliency and scale, an open and extensible platform, and a full suite of policy-driven SDN applications.
You’ll learn about multiple time-saving apps that cover the complete network service lifecycle and drive policy enforcement consistently across the enterprise to make sure of zero-touch infrastructure deployment, quality of experience, and rapid troubleshooting.
Moving to software-driven networking is the future. Join us and find out how to start your journey today.
This presentations highlights the Cisco Security Architecture. For more information Cisco's security products and solutions please visit our website here: http://www.cisco.com/web/CA/products/vpn.html
Your network holds the key to defending your organization. The Cisco switches, routers, and wireless solutions you deploy can complement and empower your security systems. Cisco provides a broad portfolio of capabilities to improve your defenses across the entire attack continuum. This presentation outlines how you can use your network as a sensor to protect your data, your customers, and your reputation.
Register to Watch Webcast: http://cs.co/9003CRsH
Join the Conversation: http://cs.co/9008CRt6
TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd
Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off.
Watch the workshop replay: http://bit.ly/2bPT1ax
Watch the Video: http://bit.ly/2c60obv
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
This session will focus on typical deployment scenarios for the Adaptive Security Appliance family running FirePower Services. Also, a feature overview and comparison of the ASA with Firepower services and the new Firepower Threat Defense (FTD) image will be included with updates on the new Firepower hardware platform. Deployment use cases will include Internet Edge, various segmentation scenarios, and VPN. A configuration walk-through and accepted best practices will be covered. This session is designed for existing ASA customers and targets the security and network engineer. They will learn the benefit of a FirePower NGFW in network edge and Internet use cases
Hope you did not miss our deep dive: Cisco APIC-EM: IT Speed and Simplicity Through Automation
Ronnie Ray walked through Cisco's purpose-built enterprise controller. Purpose build to help you move to software-defined networking (SDN) that works both on existing networks and on new infrastructure.
Watch and Listen to the workshop replay at cs.co/6017Bl8Kb
(check out the Digital Network Architecture episodes Part 1 and 2 at http://www.techwisetv.com)
You will learn how Cisco engineers created the world’s best network automation controller, which provides enterprise resiliency and scale, an open and extensible platform, and a full suite of policy-driven SDN applications.
You’ll learn about multiple time-saving apps that cover the complete network service lifecycle and drive policy enforcement consistently across the enterprise to make sure of zero-touch infrastructure deployment, quality of experience, and rapid troubleshooting.
Moving to software-driven networking is the future. Join us and find out how to start your journey today.
This presentations highlights the Cisco Security Architecture. For more information Cisco's security products and solutions please visit our website here: http://www.cisco.com/web/CA/products/vpn.html
Your network holds the key to defending your organization. The Cisco switches, routers, and wireless solutions you deploy can complement and empower your security systems. Cisco provides a broad portfolio of capabilities to improve your defenses across the entire attack continuum. This presentation outlines how you can use your network as a sensor to protect your data, your customers, and your reputation.
Register to Watch Webcast: http://cs.co/9003CRsH
Join the Conversation: http://cs.co/9008CRt6
Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
En la medida que más empresas mueven sus modelos de negocio hacia la movilidad, la nube e Internet de las cosas, sus soluciones de seguridad deben ser más dinámicas y escalables. Sin embargo, hasta la fecha, la mayoría de las soluciones de seguridad no han seguido el ritmo de cambio y no han podido adaptarse a las nuevas amenazas y ataques. Hoy, las soluciones de seguridad están basadas en un modelo binario de “bien vs mal”, el cual carece de la visibilidad necesaria para entender el contexto. El 16 de septiembre, Cisco dio a conocer su más reciente paso en esta dirección.
Preview delle ultime novità di prodotto Sourcefire IPS Entriamo in dettaglio delle novità di prodotto annunciate da Sourcefire nell\’ultimo mese, incluso:
New 3D8000 Series Sensors with FirePOWER
New Defense Center Models
New IPSx Solution
TechWiseTV Workshop: Cisco Stealthwatch and ISERobb Boyd
Replay the live event: http://cs.co/90008z2Ar
Learn how your existing Cisco network can help you to know exactly who is doing what on the network with end-to-end visibility, differentiate anomalies from normal behavior with contextual threat intelligence and stop threats and mitigate risk with one-click containment of users and devices.
It’s time for the network to protect itself. Please make time for this important workshop.
Resources:
Watch the Cisco Stealthwatch and ISE full episode: http://cs.co/90008z24M
Network as a Sensor-Enforcer on CCO:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/net-sensor.html
Cisco ISE Community
http://cs.co/ise-community
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
Today's advanced threats hide in plain sight, patiently waiting to strike, challenging security teams to track their progress across their network and endpoints. Meanwhile, executive and board-level reporting requirements are increasing as leadership demands in-depth answers that are unavailable from today’s block/allow security tools. With 55% of organizations unable to identify the origin of their last security breach, it’s time to stop relying on tools that define security based on what they see ‘out there’ and instead hunt for threats by tracking files, file relationships, and both endpoint and network behavior ‘in here’—inside your environment. In the first part of this interactive session, learn how Cisco’s Advanced Malware Protection (AMP) solutions use big data analytics to compare a real-time, dynamic history of your environment to the global threat landscape, automatically uncovering and blocking advanced threats before they strike. Then watch workflow examples demonstrating how your security team can use this advanced visibility and control to dramatically improve their efficiency and finally deliver the business 100% confidence answers.
Emerging Threats - The State of Cyber SecurityCisco Canada
The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape.Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies.
Watch the TechWiseTV Episode: http://cs.co/9001Bvqpz
Watch the workshop replay: http://bit.ly/2bAsxby
See how the latest evolution of Cisco TrustSec helps protect critical assets by extending and enforcing policies anywhere in your network. Go in-depth with how Cisco TrustSec simplifies your network security with software-defined segmentation.
Beveiligingsdag SLBdiesten: 26 juni 2015
Presentatie McAfee: Leer hoe op een (kosten)efficiënte manier gebruik kunt maken van nieuwe, geïntegreerde McAfee-technologieën voor de bescherming tegen geavanceerde malware. Door Wim van Campen, Regional Vice President North & East Europe, Intel Security.
Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire.
ABOUT THE PRESENTER
Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
En la medida que más empresas mueven sus modelos de negocio hacia la movilidad, la nube e Internet de las cosas, sus soluciones de seguridad deben ser más dinámicas y escalables. Sin embargo, hasta la fecha, la mayoría de las soluciones de seguridad no han seguido el ritmo de cambio y no han podido adaptarse a las nuevas amenazas y ataques. Hoy, las soluciones de seguridad están basadas en un modelo binario de “bien vs mal”, el cual carece de la visibilidad necesaria para entender el contexto. El 16 de septiembre, Cisco dio a conocer su más reciente paso en esta dirección.
Preview delle ultime novità di prodotto Sourcefire IPS Entriamo in dettaglio delle novità di prodotto annunciate da Sourcefire nell\’ultimo mese, incluso:
New 3D8000 Series Sensors with FirePOWER
New Defense Center Models
New IPSx Solution
TechWiseTV Workshop: Cisco Stealthwatch and ISERobb Boyd
Replay the live event: http://cs.co/90008z2Ar
Learn how your existing Cisco network can help you to know exactly who is doing what on the network with end-to-end visibility, differentiate anomalies from normal behavior with contextual threat intelligence and stop threats and mitigate risk with one-click containment of users and devices.
It’s time for the network to protect itself. Please make time for this important workshop.
Resources:
Watch the Cisco Stealthwatch and ISE full episode: http://cs.co/90008z24M
Network as a Sensor-Enforcer on CCO:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/net-sensor.html
Cisco ISE Community
http://cs.co/ise-community
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
Today's advanced threats hide in plain sight, patiently waiting to strike, challenging security teams to track their progress across their network and endpoints. Meanwhile, executive and board-level reporting requirements are increasing as leadership demands in-depth answers that are unavailable from today’s block/allow security tools. With 55% of organizations unable to identify the origin of their last security breach, it’s time to stop relying on tools that define security based on what they see ‘out there’ and instead hunt for threats by tracking files, file relationships, and both endpoint and network behavior ‘in here’—inside your environment. In the first part of this interactive session, learn how Cisco’s Advanced Malware Protection (AMP) solutions use big data analytics to compare a real-time, dynamic history of your environment to the global threat landscape, automatically uncovering and blocking advanced threats before they strike. Then watch workflow examples demonstrating how your security team can use this advanced visibility and control to dramatically improve their efficiency and finally deliver the business 100% confidence answers.
Emerging Threats - The State of Cyber SecurityCisco Canada
The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape.Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies.
Watch the TechWiseTV Episode: http://cs.co/9001Bvqpz
Watch the workshop replay: http://bit.ly/2bAsxby
See how the latest evolution of Cisco TrustSec helps protect critical assets by extending and enforcing policies anywhere in your network. Go in-depth with how Cisco TrustSec simplifies your network security with software-defined segmentation.
Beveiligingsdag SLBdiesten: 26 juni 2015
Presentatie McAfee: Leer hoe op een (kosten)efficiënte manier gebruik kunt maken van nieuwe, geïntegreerde McAfee-technologieën voor de bescherming tegen geavanceerde malware. Door Wim van Campen, Regional Vice President North & East Europe, Intel Security.
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
Technology overview for Sourcefire FireSIGHT and Lancope StealthWatch including:
• Core features and functionality
• Market positioning and differentiators
• Technology integration for effective incident response
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes.
Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware.
Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
How to protect your corporate from advanced attacksMicrosoft
Cybersecurity is a top priority for CSO/CISO and the budget allocated, especially in a large organization, is growing. The complexity and sophistication
of cyber threats are increasing. What are these current threats and how can Microsoft help your organization in their efforts to eliminate cyber threats?
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
10. Plan A: The Prevention Framework
1-to-1 Signatures
Ethos
Spero
IOCs
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
11. The Prevention Framework: 1-to-1 Signatures
• Traditional technology. All vendors use at some level
– SHA-256
– Cloud-Enabled Coverage
– Full Signature Database Protection
– Custom Detection Capabilities
Signatures (also called one-to-one):
A very simple approach that
ostensibly represents the approach
taken by every vendor at one
level.
Specific file matches
Can be easily evaded by elementary file
changes.
12. Prevention Framework: Ethos Engine
• ETHOS = Fuzzy Fingerprinting
using static/passive heuristics
– Polymorphic variants of a threat that
often have the same structural
properties
– Not concerned with binary contents
– Higher multiplicity
• Capture original and variants
– Traditionally created manually
– Best analysts = few generic
sigs/day
– Automated generic signature
creation = SCALE
Ethos: A generic signature capability,
again ostensibly similar to the
generic detection capabilities
that some vendors provide.
Directed at families of malware
Can have more false-positives than 1-to-1
signatures
13. Prevention Framework: Spero Engine
• Machine Learning
– Automatically constructs a framework
– Needs data to learn/adjust
– Requires large sets of good data
• Behavior modeling
– Discover patterns better than human
analysts
• 0-day insight is the goal
Spero: A machine-learning based technology
that proactively identifies threats that were
previously unknown.
Uses active heuristics to
gather execution attributes
Needs good data in large sets
to tune
Built to identify new malware
14. Prevention Framework: Device Flow Correlation
• Internal and External Networks
monitored
• Timestamp
• IP Address/Protocol/Port
• IP Reputation Data
• URL / Domain logging
• File downloads
• Dropper Detection/Removal in
unknown files
• Flow points = extra telemetry data,
not disposition specific
Device Flow Correlation: A kernel level view
into Network I/O. Allows blocking or alerting
on network activity, traced back
to the initiating process.
Cisco provided Intelligence:
Generic CnC Servers,
Phishing Hosts,
ZeroAccess CnC Servers, etc
Custom–defined lists
15. Prevention Framework: Advanced Analytics
Context from Spectrum Techniques
• Dropkick
– Examines dropped file relationships
over a 24 hour period
• Recon
– Age of a file in an entire install base
• Prevalence
– Frequency of file execution inside the
organization
Advanced Analytics: A set of multi-faceted
engines that provide large-data context
Beyond single host
Beyond single file
Can uncover new threats
missed by a narrow focus
16. Dynamic Analysis: High-fidelity security
intelligence, analysis reports, and decision
support
Threat scores provide context
beyond typical good/bad
decisions
Key tool for SOC, Incident Response, and
Security Intelligence teams.
Prevention Framework: Dynamic Analysis
AMP Threat Grid
• Average sample analysis = 7.5
minutes
• Malware Sample Interaction [defeat
CAPTCHAs
• Video recording of malware actions
• Watch from the inside, from the
outside
• More than “just a sandbox”
17. Plan A: The Prevention Framework
1-to-1 Signatures
Ethos
Spero
IOCs
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
All Methods < 100% Detection
18. Plan B: The Retrospection Framework
Retrospective Security
Continuous Protection
19. Plan B: Retrospection Framework
Continuous Analysis
time
Initial
Disposition = CLEAN
file
• When you can’t
detect 100%,
visibility is critical
x
Retrospective Alert
sent later when
Disposition = BAD
Analysis
Continues
time
Sandboxed;
Disposition = CLEAN
file • Sleep techniques
• Unknown protocols
• Encryption
• Performance
x
Actually…
Disposition = BAD
… too late!
Typical Analysis
Analysis Stops After
Initial Disposition
21. Endpoint
(Windows, Mac)
• Exposes all File + Network Activity
• Traps fingerprint & attributes
• Traps Traffic Flow tuples
• Containment
Web-based Manager
Mobile Connector
(Android)
• App installs
ASA & FirePower Appliances
• Detection of Files
• cNc Protocol Analysis
• IP and URL Reputation Analysis
• Exploit-kit Detection
• DNS Sinkholing
• Big Data Analytics
• Machine Learning
• Collective Security Intelligence
• Dynamic File Analysis Sandbox
• Detection Publishing
• Reputation Data
• Transaction Processing
• Reporting
• Continuous Analysis
WSA/ESA
• Detection of Files
• IP and URL Reputation Analysis
• SSL/TLS Decryption
• Proxy & MTA
Kako funkcioniše na proizvodima
22. Host-based AMP
• Small (Size of a print driver)
• Watches for move/copy/execute
• Traps fingerprint & attributes
• Queries cloud for file deposition
Web-based Manager [SaaS]
Sensor
Firesight Console
No agent
required
Malware
license
Detection
Services & Big
Data analytics
#
✔✖
#
Network/Content AMP AMP for hosts, servers
and mobile devices
24. How Cisco AMP Works: Network File Trajectory Use
Case
25.
26. An unknown file is present on
IP: 10.4.10.183, having been
downloaded from Firefox
27. At 10:57, the unknown file is
from IP 10.4.10.183 to IP:
10.5.11.8
28. Seven hours later the file is
then transferred to a third
device (10.3.4.51) using an
SMB application
29. The file is copied yet again
onto a fourth device
(10.5.60.66) through the
same SMB application a half
hour later
30. The Cisco Collective Security
Intelligence Cloud has
learned this file is malicious
and a retrospective event is
raised for all four devices
immediately.
31. At the same time, a device
with the FireAMP endpoint
connector reacts to the
retrospective event and
immediately stops and
quarantines the newly
detected malware
32. 8 hours after the first attack,
the Malware tries to re-enter
the system through the
original point of entry but is
recognized and blocked.
37. Summary
• Cisco Advanced Malware Protection provides both Prevention AND
Retrospection capability for Content Gateways, Network Inspection Points, and
Endpoints
• Not Anti-Virus, but a way to address the unknown threats that exist in the
environment
• Every organization WILL suffer a breach
Editor's Notes
This use case gives a great view of a file being introduced, retrospective events occurring, quarantining, and future events being blocked. This is a great illustration of the correlation between end-point and network data.
<click>
This is the actual program view, showing the path of a file across multiple devices. By hovering over an event you can see details like where the file came from originally, when was it downloaded, what type of even it is, the program name. All this information is just a mouse hover away.
<click>
Here we see the first event, a file with an unknown disposition is present on IP: 10.4.10.183
<click>
It enters the network by being transmitted from 10.4.10.183 to 10.5.11.8 and the file still has a disposition of unknown. We did not know it was bad. But we do know that it was introduced by a user using downloading this file over HTTP using the application Firefox a web-browser. That file then sat on 10.5.11.8.
<click>
After a period of inactivity, the file transmits down to machine 10.3.4.51 over SMB, the application protocol listed in the grey box. So it starts transmitting using internal Microsoft file-sharing protocols. This file has not yet been identified as malware and so its disposition is still unknown.
<click>
The file copies itself onto a fourth machine a half hour later using the same application protocol.
<click>
At 6:14, We see a retrospective event turn up. So it appears for 4 machines at the same time. Our disposition thus far has gone from something we think is unknown to now known malware. So we've alerted each of these four machines and the defense center, that malware has been found in the environment to enable the user to track how that file propagated the around the network and understand the scope of the breech.
<click>
This machine here, 10.5.11.8, we can see that it has the fire app, endpoint connector installed. We know this because immediately after that retrospective event was raised the endpoint quarantined file. So by having the connector on the endpoint you have the ability to clear up and remediate and quarantine that infection on the end-point near in real time
<click>
Later the file once again tried to move around the network. This time once again, by someone trying to send the file over HTTP using the application Firefox. This time, because the file is now known to be malware, this transmission was blocked.
<click>