Cisco Quick Hit Briefing

Cisco Quick Hit Briefing
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL: 13ab90b4883aef8d5641c47d8ca Thanks for your interest and participation! Cisco Security: Sourcefire Deep Dive Brian Avery My name is <your name> and I’m with Cisco. Thanks for taking the time to meet with me about Advanced Malware Protection. In this discussion, we’ll get into how AMP works from a technical perspective to better protect your organization from threats. <click> Territory Business Manager, Cisco

Cisco Quick Hit Briefing
Connect using the audio conference box or you can call into the meeting: Toll-Free: (866) Enter Meeting ID: and your attendee ID number. Press “1” to join the conference. Cisco Security: Sourcefire Deep Dive Brian Avery My name is <your name> and I’m with Cisco. Thanks for taking the time to meet with me about Advanced Malware Protection. In this discussion, we’ll get into how AMP works from a technical perspective to better protect your organization from threats. <click> Territory Business Manager, Cisco

Presentation Agenda About Your Host Quick Hits and Customer Education
Security in the 21st Century Cisco Security Overview Sourcefire Deep Dive About Your Host Brian Avery Territory Business Manager, Cisco Systems, Inc. Conclusion

What Is a Quick Hit Briefing?
A weekly partner briefing series designed for Cisco Commercial Territory partners Concise, relevant updates on: Cisco products and solutions Partner programs and promotions Partner Enablement – Demand Generation, Selling Skills, Closing Tools, etc. Welcome to Quick Hit Briefing #137– 28,222 attendees and growing!

NEW! Cisco Customer Education Series (CCE)
Customer-facing WebEx Events - Let us sell for you! Next event – Wednesday Nov 1:30 p.m. You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help Registration link | Invitation Invite your customers to attend and we will notify you if they do! Access registration links, invites and replays at:

Security in the 21st Century

The Reality: Organizations Are Under Attack
95% of large companies targeted by malicious traffic 100% of organizations interacted with websites hosting malware Cybercrime is lucrative, barrier to entry is low Hackers are smarter and have the resources to compromise your organization Malware is more sophisticated Organizations face tens of thousands of new malware samples per hour Source: 2014 Cisco Annual Security Report Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape 1990 1995 2000 2005 2010 2015 2020 Viruses 1990–2000 The reality today is that the IT security world is a pretty scary place. Simply put, organizations today are under attack. IT Security Managers are tasked with defending their organizations from cyberattacks, and they’re up against some pretty staggering odds. We know that 95% of large companies are targeted by malicious traffic, and 100% of organizations have interacted with web sites that host malware. It seems like a week doesn’t go by that you don’t hear about some type of IT security breach in the news. Unfortunately for security teams, this barrage of attacks is not going away, in fact it continues to grow at an alarming rate. Organizations today face tens of thousands of new malware samples PER HOUR. At the end of the day, Cybercrime is lucrative, hackers are smarter than ever and have more resources to carry out aggressive attacks, and the malware they are using is becoming more sophisticated. Worms 2000–2005 Spyware and Rootkits 2005–Today APTs Cyberware Today +

Dynamic Threat Landscape
100% of companies connect to domains that host malicious files or services 54% of breaches remain undiscovered for months It is a Community that hides in plain sight 60% of data is stolen in hours avoids detection, and attacks swiftly Organizations are under attack from dynamic threats that exist in a dynamic landscape. On the Internet, malicious activity is no longer the work of lone individuals. Criminals are now often part of communities that are continually trying new techniques, trade intellectual property, and sometimes work together. Most importantly, the speed and frequency of attacks have accelerated. And it can take months or years for victims to discover they’ve been breached. To be truly effective, your defenses must respond in real-time to detect and respond to attacks. Finally, every organization directly encounters malicious content or actors. While most interactions do not result in harm, your adversaries have many opportunities to cause damage to your company’s resources and reputation.

Your customer says… “I am just a small fish in a BIG pond.”

Yet organizations of every size are targets
Adversaries are attacking you And using you By targeting your organization’s: To attack your enterprise customers and partners: 60% of UK small businesses were compromised in 2014 (2014 Information Security Breaches Survey) 100% of corporate networks examined had malicious traffic (Cisco 2014 Annual Security Report) 41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA) Customer data Intellectual property Company secrets Hackers are targeting you not only for your sensitive data and intellectual property but because of who you know. Small businesses and distributed enterprises are seen as easy targets – windows that hackers can use to gain access to larger customers. Some of the breaches mentioned in the previous slide happened when attackers compromised a small business and used their partner credentials to exploit the larger company. The numbers support this: In a recent study conducted by The National Cyber Security Alliance, 41% of small business were attacked. 60% of small businesses in the UK were compromised in the year 2014. And in the Cisco 2014 Annual Security Report, 100% of networks examined had malicious traffic on them. 100%! Like it or not, hackers use you as a tool to steal from larger companies, regardless of how much you really interact with them. And as a small business, it’s difficult to allocate the time or manpower to deal with a complicated attack. T: What are you to do? <click>

If you knew you were going to be compromised, would you do security differently?
In today’s threat landscape, the question isn’t if your company will be compromised: it’s a question of when this will occur. We can assume that attackers have already breached your defenses. So if you knew your defenses were already compromised, would you approach security differently? Of course. What’s needed is a new security model; one that understands how attacks occur and provides defenders with an operating model to fight off attacks more effectively. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OTHER DATA POINTS: EVERY YEAR VERIZON ISSUES THEIR DATA BREACH INVESTIGATION REPORT. THIS YEAR’S REPORT TELLS A DAMNIMG STORY WITH OVER 850 BREACHES LAST YEAR. 98% STEMMED FROM EXTERNAL AGENTS 81% UTILIZED SOME FORM OF HACKING 69% INCORPORATED MALWARE 96% OF ATTACKS NOT HIGHLY DIFFICULT

Cisco Security Overview
…Starting with Superior Protection. <Click>

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum After Scope Contain Remediate Before Discover Enforce Harden During Detect Block Defend Network Endpoint Mobile Virtual Cloud & Web Point in Time Continuous In order to uncover and respond to threats, you need to address advanced malware before <<click>> during and after breaches occur. You need to be able to do that across your networks and endpoints (if you include networks and mobile as well as your web and gateways) not only in point-in-time but also continuously over time.

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate FireSIGHT and pxGrid ASA VPN NGFW Meraki Advanced Malware Protection Network as Enforcer NGIPS ESA/WSA CWS Secure Access + Identity Services ThreatGRID Advanced Malware Protection In order to uncover and respond to threats, you need to address advanced malware before <<click>> during and after breaches occur. You need to be able to do that across your networks and endpoints (if you include networks and mobile as well as your web and gateways) not only in point-in-time but also continuously over time.

Comprehensive Security Requires
Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence To combat these attacks, you need to have a comprehensive security strategy. Comprehensive Security requires that you can… First, prevent breaches. We have to be able to stop the bad things we know about from getting into your environment. It’s a first line of defense and it’s the cornerstone of traditional security Second, We all know that detection isn’t 100% effective, there will always be infections. Because of this we have to have a method for quickly detecting the things that get through point-in-time defenses, respond to them, and remediate threats before any real damage can be done. And Third, you need to have the best threat intelligence to inform your security team about new threats. Especially in this age of advanced malware, you must be able to find active compromises going on that are not known to be malware (unknown or thought to be benign) and would not be recognized by point in time engines. Source:

Cisco Sourcefire Advanced Malware Protection

Cisco Advanced Malware Protection Built on unmatched collective security intelligence
Cisco Collective Security Intelligence Cloud Cisco® Collective Security Intelligence WWW Automatic Updates in real time Endpoints Web Networks IPS Devices 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600 engineers, technicians, and researchers 35% worldwide traffic 13 billion web requests 24x7x365 operations 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP Community Private/Public Threat Feeds Talos Security Intelligence AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program AMP Advanced Malware Protection In addition to protection before, during, and after.. And capabilities to prevent breaches, detect breaches when they occur, and the ability to quickly respond and remediate malware… you need to have the best threat intelligence on the planet. Cisco Advanced Malware Protection is built on unmatched collective security intelligence. This intelligence is collected from Cisco’s Security Intelligence Operations and the Talos Security Intelligence and Research team and then pushed from the cloud to the AMP client so that the user always has the latest threat intelligence. The intelligence available here is impressive: Cisco’s Security Intelligence Operations and Talos Security Intelligence and Research teams monitor 35% of worldwide traffic and scans 100 terabytes of data per day in order to build a base of security intelligence. The team that evaluates 1.1 million incoming malware samples per day, and is made up of 600 engineers, technicians, and researchers, all working to make sure that our customers have the latest threat intelligence to combat advanced threats. The team also leverages the collective intelligence of the AMP, Snort and ClamAV Open source communities. This makes for an AMP solution that is truly built on big data.

Cisco AMP Threat Grid Feeds Dynamic Malware Analysis and Threat Intelligence to the AMP Solution
Low Prevalence Files Actionable threat content and intelligence is generated that can be packaged and integrated in to a variety of existing systems or used independently. AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Actionable Intelligence Analyst or system (API) submits suspicious sample to Threat Grid Threat Score/Behavioral Indicators Big Data Correlation Threat Feeds An automated engine observes, deconstructs, and analyzes using multiple techniques Actionable threat content and intelligence is generated that can be utilized by AMP, or packaged and integrated into a variety of existing systems or used independently. Cisco® AMP Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Sample and Artifact Intelligence Database Proprietary techniques for static and dynamic analysis “Outside looking in” approach 350 Behavioral Indicators AMP Threat Grid feeds dynamic malware analysis and threat intelligence to be utilized by the AMP solution for disposition look ups, sandboxing, and other dynamic analysis features. [THIS SLIDE IS FULLY ANIMATED. NO BUILDS. ONCE THE SLIDE IS ON THE SCREEN, DON’T CLICK. IT WILL RUN THROUGH THE ENTIRE SLIDE.]

Cisco AMP Delivers a Better Approach
Point-in-Time Protection Retrospective Security File Reputation, Sandboxing, and Behavioral Detection Continuous Analysis Unique to Cisco® AMP There are two types of protection that are essential for complete security: point-in-time and retrospection. The truth is you need BOTH. Let’s consider point-in-time first. You’re going to spend time up front targeting the assets of your environment, quantifying your areas of weakness. You’ll use tools like vulnerability assessment and management tools, patch management, VPN firewalls, even IPS. These are tools that you use for the point-in-time detection piece. Our point-in-time detection lattice is built on 7 features, providing both file reputation and behavioral detection. Lets take a look at each of these seven features.

Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Cisco AMP Defends With Reputation Filtering And Behavioral Detection Reputation Filtering Behavioral Detection Continuous Protection Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation These seven features break down into two types. Reputation filtering Behavioral detection. Reputation filtering is comprised of three key features. The first of which, is One-to-One Signatures <click>

Reputation Filtering Is Built On Three Features
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Reputation Filtering Is Built On Three Features Reputation Filtering Behavioral Detection Unknown file is encountered, signature is analyzed, sent to cloud 1 Collective Security Intelligence Cloud File is not known to be malicious and is admitted 2 Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Unknown file is encountered, signature is analyzed, sent to cloud 3 File signature is known to be malicious and is prevented from entering the system 4 Our one-to-one engine ostensibly resembles the approach espoused by the traditional incumbent vendors in the anti-malware space. Namely, it detects specific instances of malicious software by means of signature-based approaches. Because of our advanced analytics capabilities, however, we are able to provide far greater breadth of protection with far greater alacrity than competing offerings. <click> In this animation we see: An unknown file’s signature is analyzed and sent to the cloud The file’s signature is not known to be malicious and is admitted into the network <click>Another unknown file’s signature is analyzed and sent to the cloud This file’s signature is known to be malicious and is prevented from entering the system This will filter out what we already know to be malicious.

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Reputation Filtering Is Built On Three Features Fingerprint of file is analyzed and determined to be malicious 1 Collective Security Intelligence Cloud Malicious file is not allowed entry 2 Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Polymorphic form of the same file tries to enter the system 3 The fingerprints of the two files are compared and found to be similar to one another 4 Polymorphic malware is denied entry based on its similarity to known malware 5 Moving up one level in abstraction, the next technology leveraged file fingerprint identification to determine and capture a given threat as well as polymorphic variants of that threat. In contrast to competing offerings we have combined large-scale data mining techniques with an extensive automation framework around this technology. The result is that we eliminate the slower, manual processes of other vendors and provide protection right away In the animation we see: 1. A file attempted to enter a device or network 2. The file is then analyzed and, because it is determined to be malicious based on its fingerprint, it is blocked 3. <click>A polymorphic form of the same malware attempted to enter the device 4. The fingerprints of the two files are compared and found to be similar to one another 5. The polymorphic malware is denied entry on its similarity to known malware <click>

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Reputation Filtering Is Built On Three Features Metadata of unknown file is sent to the cloud to be analyzed 1 Collective Security Intelligence Cloud Metadata is recognized as possible malware 2 Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation File is compared to known malware and is confirmed as malware 3 Machine Learning Decision Tree Metadata of a second unknown file is sent to cloud to be analyzed 4 Confirmed malware Possible malware Confirmed clean file Metadata is similar to known clean file, possibly clean 5 Confirmed malware Possible clean file Confirmed clean file File is confirmed as a clean file after being compared to a similarly clean file 6 Machine Learning Engine: While some vendors rely almost exclusively on signature-based techniques (which work well for identifying known malware), a handful are beginning to add capabilities to more generally identify malicious intent, even for malware that was previously unknown. To make this approach work effectively and to enable large-scale automation (which in-turn leads to more immediate protection) Cisco leverages techniques from statistical machine learning. Going one step further, our large-scale analytics capabilities give us an even greater edge, enabling us to construct automated models, optimized for real-world scenarios, that distinguish malicious software from benign software. <click> Steps in the animation showing Machine Learning: An unknown file’s metadata is sent to the cloud to be analyzed <click> That metadata is recognized as possible malware <click> The file is compared to known malware and is confirmed as malware <click> A different unknown file’s metadata is sent to cloud to be analyzed <click> This metadata is similar to a known clean file which is possibly clean <click> The file is compared to known clean file and is confirmed clean <click>

Behavioral Detection Is Built On Four Features
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Behavioral Detection Is Built On Four Features File of unknown disposition is encountered 1 File replicates itself and this information is communicated to the cloud 2 Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation File communicates with malicious IP addresses or starts downloading files with known malware disposition 3 Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client 4 Collective Security Intelligence Cloud These indications are prioritized and reported to security team as possible compromise 5 Indications of Compromise work by identifying actions that are associated with known malware and analyzing unknown files to see if they are performing those types of actions. If it walks and talks like something malicious, chances are it is. This is far more effective than signature based approaches because a single action might identify 100 files as malicious where as a one-to-one ratio that might get 1 out of those 100. In this animation how Indications of Compromise are determined and formed: <click> 1. File of unknown disposition is encountered 2. File replicates itself 3. File communicates with known malicious IP addresses and/or starts downloading files with known malware disposition 4. Combination of activities indicates a compromise 5. These indications of a compromise are prioritized and reported to user

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Behavioral Detection Is Built On Four Features Dynamic Analysis Engine executes unknown files in on-premises or cloud sandboxes powered by Cisco® AMP Threat Grid 1 Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Two files are determined to be malware, one is confirmed as clean 2 Collective Security Intelligence Cloud Collective User Base Intelligence Cloud is updated with analysis results, and retrospective alerts are broadcast to users 3 AMP Threat Grid Sandbox The Dynamic Analysis Engine works as a sort of second opinion or consultation. Files that have been analyzed by all other engines and still have a disposition of unknown can be sent automatically to the dynamic analysis engine for sandbox analysis. By fully analyzing file behavior in a sandbox environment powered by AMP Threat Grid, either via an on-premise or cloud sandbox, a threat score from 1 to 100 is calculated and returned within minutes so that customers can automate responses and have detailed analysis for deeper investigation. <click> In this slide we see: Unknown files that are uploaded to the cloud to be analyzed in isolated sandboxes <click> Two files are determined to be malware and the other is confirmed as a clean file <click> The malicious signatures are updated to the Intelligence cloud and broadcasted to the user base to prevent future attacks with the same file <click>

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Behavioral Detection Is Built On Four Features Receives information regarding software unidentified by Reputation Filtering appliances 1 Receives context regarding unknown software from Collective User Base 2 Collective Security Intelligence Cloud Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation Collective User Base Analyzes file in light of the information and context provided 3 Cisco® AMP Threat Grid Analysis Identifies the advanced malware and communicates the new signature to the user base 4 With our advanced analytics engine, powered by the Cisco Collective Security Intelligence Cloud and AMP Threat Grid, we can identify new threats by analyzing global trends. Furthermore, we are able to harness the power of collective immunity by ensuring that our entire community is immediately protected from threats that are discovered. Advanced analytics works in tandem with One-to-One signature, Fuzzy Fingerprinting and Machine learning to identify malware that is not fully identified by the individual detection engines. <click> In the animation: The detection engines send unknown but suspicious files to the advanced analytics engine. <click> The Advanced analytics engine also received additional context from the collective Cisco User Base <click> Analyzing the files in those specific contexts help to identify the files as malware <click> Malware signature is sent out to the collective user base <click>

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Behavioral Detection Is Built On Four Features Device Flow Correlation monitors communications of a host on the network 1 IP: Collective Security Intelligence Cloud Two unknown files are seen communicating with a particular IP address 2 Dynamic Analysis Machine Learning Fuzzy Finger-printing Advanced Analytics One-to-One Signature Indications of Compromise Device Flow Correlation One is sending information to the IP address, the other is receiving commands from the IP address 3 Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site 4 Unknown files are identified as malware because of the association 5 Device Flow Correlation allows us to identify malware based on their actions rather than on their individual signatures. By tracking the Inbound/outbound communication from files, we can label files as bad based on association. If we know a particular URL is malicious and we see different files communicating to and from that URL, we can automatically label those files as malware-related without having to do anything else. <click> In the animation: Device flow correlation tracks I/O <click> Two files are seen communicating with the same IP address, one is sending information, the other is receiving information <click> The IP address in question is known to be malicious <click> The two files are guilty by association and labeled as malware. <click>

Cisco AMP Delivers A Better Approach
Point-in-Time Protection Retrospective Security File Reputation, Sandboxing, and Behavioral Detection Continuous Analysis Unique to Cisco® AMP When it comes to AMP specifically, you’re going to use file reputation, the ability to look at data bases of files, in order to understand whether they are known to be malware, considered to be clean, or considered in the state of unknown for a period of time. At the end of the day, they’re still point-in-time. You’ll execute them in a sandbox, or have virtual execution so you can gain insight into how files behave, and use some of the outputs to determine whether we need to change our mind on a file. <click> That leads to our Retrospective Security. Most folks don’t have the ability, time or talent needed to take the output from virtual execution and other point-in-time tools to look at them with fresh intelligence every day. Retrospective security takes all of the input just mentioned, all of the relationships we have with businesses and our vulnerability data, and all of the work we do monitoring our security intelligence for insight. And look over new events with fresh intelligence every few hours. We get to look at all the data continuously, with new insight, new intelligence, and the proper understanding. Retrospective security should be considered your plan B. It’s what happens when something gets through all of your point-in-time detection, because you’re always going to be dealing with less than 100% detection.

Cisco AMP Defends With Retrospective Security
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Cisco AMP Defends With Retrospective Security To be effective, you have to be everywhere Continuously <click>

Why Continuous Protection Is Necessary
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Why Continuous Protection Is Necessary Breadth and Control points: WWW Endpoints Web Network Gateways Devices Telemetry Stream File Fingerprint and Metadata Continuous feed File and Network I/O Process Information Continuous analysis Talos + Threat Grid Intelligence The Retrospective Security feature is the cornerstone that separates Cisco from any other company that might offer you malware protection, breach protection, breach detection, response, and remediation. Information, files are always coming in and out of your environment. <click> Be they considered good, bad or unknown. Clean, malware or unknown, you need be monitoring what is passing through the environment and what those files are doing AFTER they pass through your security control points. The fact that a file shows up, or a particular communication stream occurs to a website, or one of the systems your password protects, the very fact that it occurred is a historical security event. And you need to be logging all of that data without regard to disposition because those things provide context. We consider this a telemetry data set. We watch all the files, all of the network I/O, and we constantly log this against our continuous analysis systems in the cloud. And those systems, looking over that same data, with fresh eyes every day. So what does this look like?

Why Continuous Protection Is Necessary
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Why Continuous Protection Is Necessary Event History Who What Collective Security Intelligence Where When How Context Enforcement Continuous Analysis Retrospective Security gives us all the information we need to look back in time when we need to. Without all the context and actions of a certain file, remediation can only be taken so far. You might be able to deal with the problem on one or two devices quickly, but in order to contain an infection entirely you need to be able to see all of the variables. <click> Who its infected. What propagated the malware. Where it currently sits on the system. When it entered the system. How it entered the system. Continuous Protection monitors all of this information and allows you to retrace the path of unknown files once they are found to be malware and enforce the policy to stop the infection.

Cisco AMP Defends With Retrospective Security
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Cisco AMP Defends With Retrospective Security Trajectory Behavioral Indications of Compromise Elastic Search Continuous Analysis Attack Chain Weaving We can do all of this because of five distinct yet overlapping features that work together to give you unparalleled visibility into your environment. <click>

Retrospective Security Is Built On…
Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Retrospective Security Is Built On… Trajectory Behavioral Indications of Compromise Breach Hunting Continuous Analysis Attack Chain Weaving Performs analysis the first time a file is seen 1 Persistently analyzes the file over time to see if the disposition is changed 2 Giving unmatched visibility into the path, actions, or communications that are associated with a particular piece of software 3 Continuous Analysis provides the first link in this persistent file tracking. As a file enters the system, Continuous Analysis continually monitors the activities of that file, and builds out a file’s disposition by monitoring it in three different ways: <click> In the animation we see the point in time snapshots of a file’s disposition tracked. It is analyzed when it first appears Tracked as time goes on Allowing unmatched visibility into its disposition over time This technology strings together individual point in time snapshots of the same file which allows you to know everywhere it has been moving and everything it is doing.

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Retrospective Security Is Built On… Uses retrospective capabilities in three ways: Trajectory Behavioral Indications of Compromise Breach Hunting Continuous Analysis Attack Chain Weaving File Trajectory 1 Process Monitoring 2 Communications Monitoring 3 Attack Chain Weaving analyzes the data collected by File Trajectory, Process, and Communication Monitoring to provide a new level of threat intelligence Process Monitoring monitors the I/O activity of all devices on the system Communications Monitoring monitors which applications are performing actions File Trajectory records the trajectory of the software from device to device File trajectory Process monitoring Communication monitoring Attack Chain Weaving is the method for weaving together the file, process, and communication retrospection streams as they happen over time to capture the relational dimension that is missing in two dimensional point-in-time technologies. By overlaying the three different pivots on Retrospection, we can see where activity is going on, what type of activity is happening and what applications are being used to do those things. <click> (In the animation) 1. File Trajectory continues to interrogate the file and update its disposition over time <click> 2. Process Monitoring monitors, captures and analyzes system I/O’s over an extended period of time. <click> 3. Communication Monitoring records correspondence to and from an endpoint and the associated application for context This allows us to be far more adaptable in our remediation and identification methods than standard detection software because we can label things are malicious based on their behavior over time, not just their behavior at a point in time. This enables full comprehension of an attack, not just an isolated detection.

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Retrospective Security Is Built On… Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures! Trajectory Behavioral Indications of Compromise Breach Hunting Continuous Analysis Attack Chain Weaving An unknown file is admitted into the network 1 The unknown file copies itself to multiple machines 2 Duplicates content from the hard drive 3 Sends duplicate content to an unknown IP address 4 AMP goes beyond indications of compromise that are built on signatures alone. AMP recognizes the patters and activities to be malicious even though the file reputation may not be know. It’s based on behavior. Behavioral Indications of Compromise is more than static artifacts used to query against, these are complex behavioral clues that attack chain weaving captures and behavioral IoCs can detect as they are happening in real-time, identifying malware by behavior rather than a fingerprint or signature. As discussed previously, todays advanced threats are not a single piece of software but a coordinated effort between different pieces of software. We have built a method of identifying those coordinated efforts by pooling that Retrospection data. <click> The individual action of a file being duplicated or sent to an IP address isn’t an action that would raise red flags, it happens regularly throughout the course of any given day. But lets say there are a group of files being copied and sent to the SAME IP address at semi-regular intervals, that might indicate something is going on. Again, this is far beyond the reach of traditional systems that use point-in-time defense only. <click> Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Retrospective Security Is Built On… Unknown file is downloaded to device 1 File Trajectory Trajectory Behavioral Indications of Compromise Breach Hunting Continuous Analysis Attack Chain Weaving Fingerprint is recorded and sent to cloud for analysis 2 Collective Security Intelligence Cloud Collective Security Intelligence Cloud Mobile Network The unknown file travels across the network to different devices 3 File trajectory automatically records propagation of the file across the network Mobile Virtual Machine Sandbox analytics determines the file is malicious and notifies all devices 4 Computer Mobile Computer Mobile Virtual Machine If file is deemed malicious, file trajectory can provide insight into which hosts are infected, and it provides greater visibility into the extent of an infection 5 It may sound like a fancy marketing word for tracking, but Trajectory is much more than tracking. Tracking is an enumerated list of point-in-time events to show where something has been and we already covered that with Retrospection. Trajectory is the contiguous path an object moves, in this case malware, as a function of time. It is substantially more effective at showing the scope and root causes of malware in relationship to where it has been and done. File Trajectory traces the path of a particular file as it travels from device to device across a network. No matter where something goes, File Trajectory records who sent it, when they sent it, links it to where the file originated from and who it was sent to next. It quickly understands the scope of exposure to malicious or suspect files based on time, method and point of entry; systems impacted; and prevalence. All, without the need to scan or snapshot endpoints. <click> In the animation: An unknown file is downloaded onto a device. <click> Meanwhile, the file disposition is being determined <click> As the file begins to move around the environment, File Trajectory records the full scope of the infection as it unfolds even though you don’t know its an infection yet. <click> Once the file has been determined as malware, all devices are alerted and the infection is instantly understood. <click>

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Retrospective Security Is Built On… Unknown file is downloaded to a particular device 1 Device Trajectory Trajectory Behavioral Indications of Compromise Breach Hunting Continuous Analysis Attack Chain Weaving The file executes 2 Drive #1 Drive #2 Drive #3 Device trajectory records this, the parent processes lineage and all actions performed by the file 3 Computer File is convicted as malicious and the user is alerted to the root cause and extent of the compromise 4 Building on the level of scope provided by file trajectory, Device Trajectory provides robust time window analysis into system processes to understand root cause history and lineage with the ability to expand or contract the time window and filter to quickly pinpoint the exact cause of compromise. In the animation: The unknown file is transferred to this particular device <click> The files move around, executing different commands on the device <click> Device Trajectory records those individual actions executed by that file on that particular device <click> That data is leveraged to trace back the root of the infection and contribute to profiling different malware signatures <click>

Point-in-Time Detection Retrospective Security Cisco Collective Security Intelligence Retrospective Security Is Built On… Trajectory Behavioral Indications of Compromise Elastic Search Continuous Analysis Attack Chain Weaving Elastic Search is the ability to use the indicators generated by Behavioral IoCs to monitor and search for threats across an environment 1 When a threat is identified, it can be used to search for and identify if that threat exists anywhere else 2 This function enables quick searches to aid in the detection of files that remain unknown but are malicious 3 The Elastic Search functionality can look for similar files exhibiting similar behavior in your environment. <click> In the animation: We see the identified behavior from the Behavioral IoC’s slide. <click> <click> You can then search for the file that the behavior is associated with and find it going on in other place across your network <click> This allows you to perform wide sweeps across your network for a particular behavior to find the extent of an infection across your entire environment <click>

Cisco AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage Focus on these users first Who These applications are affected What The breach affected these areas Where This is the scope of exposure over time When Here is the origin and progression of the threat How These features provide you with the visibility and control you need to not only prevent breaches, but quickly detect and take control of an attack and remediate threats before any damage can be done. Now, you have answers to essential questions in the face of a breach: Where did the malware come from? Where has it been? What is it doing? and How do I stop it? And this is essential, because it gives IT security managers the visibility they need to respond quickly in the event of an attack. The tools provided by AMP let you understand the scope of the situation in front of you and give you the power to quickly take control of the situation before it can get worse. This is something that point-in-time detection alone can not provide. Its really the difference between being completely blind to what happened or maybe having just a few data points to go on, versus having the assurance and visibility to know what’s malicious, where the malware entered the system, where it went after that, what it’s doing now, and what systems are affected. Having this information at your fingertips allows you to answer some pretty important questions in the face of a potential breach, such as: Where do I start? How bad is the situation? What did the threat do? How do we recover from it? And how do we keep it from happening again?

Cisco AMP Everywhere Strategy Means Protection Across the Extended Network
*AMP for Endpoints can be launched from AnyConnect Windows OS Virtual Android Mobile MAC OS AMP for Networks AMP for Endpoints AMP AMP Threat Grid Malware Analysis + Threat Intelligence Engine Appliance or Cloud Advanced Malware Protection AMP on Cisco® ASA Firewall with FirePOWER Services AMP Private Cloud Virtual Appliance CWS AMP on Web & Security Appliances Cisco has one of the most comprehensive AMP portfolios on the market. With investment and innovation spanning several years, our AMP Everywhere strategy means customers are protected across the extended network including PCs, Macs, mobile devices and virtual environments through standalone AMP appliances as part of FirePOWER appliances for Next-Generation IPS or Next-Generation Firewall and via Cisco Web Security Appliances, Security Appliances, and the Cloud Web and Hosted Security and SaaS offers. For dynamic malware analysis and threat intelligence capabilities, you can even deploy AMP Threat Grid as a standalone appliance. AMP for Cloud Web Security & Hosted

There Are Several Ways You Can Deploy AMP
Advanced Malware Protection Deployment Options AMP on and Web; Cisco® ASA; CWS AMP for Networks (AMP on FirePOWER Network Appliance) AMP for Endpoints AMP Private Cloud Virtual Appliance Method License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight connector on endpoints On-premises Virtual Appliance Ideal for New or existing Cisco CWS, /Web Security, ASA customers IPS/NGFW customers Windows, Windows OS for POS, Mac, Android, virtual machines; can also deploy from AnyConnect client High-Privacy Environments Details ESA/WSA: Prime visibility into /web CWS: web and advanced malware protection in a cloud-delivered service AMP capabilities on ASA with FirePOWER Services Wide visibility inside network Broad selection of features- before, during, and after an attack Comprehensive threat protection and response Granular visibility and control Widest selection of AMP features Private Cloud option for those with high-privacy requirements Can deploy full air-gapped mode or cloud proxy mode For endpoints and networks Windows/MAC Mobile Virtual There are several ways you can deploy AMP… Described in column 1, you can add AMP capabilities to Cisco and Web Security Appliances, onto Cisco Cloud Web Security, and turn on AMP on your ASA with FirePower Services firewall solution. 2. You can deploy AMP for Networks, which is simply AMP capabilities enabled on your FirePOWER Network Security Appliance 3. You can deploy AMP for Endpoints on your PCs, Macs, mobile devices, and virtual environments 4. You can deploy AMP Private Cloud Virtual Appliance which is simply a virtual instance of the AMP solution which gives you an on-premis, virtual appliance option that is best suited for high privacy environments 5. And finally, not pictured here, you can also deploy AMP Threat Grid as a standalone appliance for Threat Intelligence and Dynamic Malware Analysis.

Protection Across Networks
Endpoint Content WWW The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment Lets review some examples of AMP capabilities via different deployments. In this screenshot you can see an example of the detailed reporting provided by AMP for Networks. The Network platform uses indications of compromise, file analysis, and in this example, file trajectory to show how files move across systems to help in remediation. <click> This screenshot is from a Use Case that can be covered later in the deck.

Protection Across Endpoints
Network Endpoint Content WWW The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this example is shown quarantining recently detected malware on a device that has the AMP for Endpoints connector installed In this screenshot you can see an example of the detailed reporting provided by AMP for Endpoint. The Endpoint platform has device trajectory, elastic search and outbreak control which in this example, is shown quarantining recently detected malware on a device that has the FireAMP connector installed. <click> This screenshot is from a Use Case that can be covered later in the deck.

Protection Across Web and Email
Network Endpoint Content WWW Cisco® AMP for Web and protects against malware threats in web and traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted In this screenshot you can see an example of the reporting provided by AMP for Content which protects against web and threats by issuing retrospective alerts known malware or websites where malicious reputations are detected. <click>

Conclusion Hello, welcome. My name is ____________ and I’m with Cisco. Thanks for taking the time to meet with me today to talk about the exciting refresh of our ASA Firewalls for small businesses. T: We all know that protecting your business is critical, yet it is easy to believe that only large businesses are the primary target of attackers. <Click>

Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum Attack Continuum After Scope Contain Remediate Before Discover Enforce Harden During Detect Block Defend Network Endpoint Mobile Virtual Cloud & Web Point in Time Continuous In order to uncover and respond to threats, you need to address advanced malware before <<click>> during and after breaches occur. You need to be able to do that across your networks and endpoints (if you include networks and mobile as well as your web and gateways) not only in point-in-time but also continuously over time.

Only Cisco Security Can Deliver… Visibility and Control Across the Full Attack Continuum
Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate FireSIGHT and pxGrid ASA VPN NGFW Meraki Advanced Malware Protection Network as Enforcer NGIPS ESA/WSA CWS Secure Access + Identity Services ThreatGRID In order to uncover and respond to threats, you need to address advanced malware before <<click>> during and after breaches occur. You need to be able to do that across your networks and endpoints (if you include networks and mobile as well as your web and gateways) not only in point-in-time but also continuously over time.

Are You Able to Defend Against Advanced Malware?
Can your customers detect advanced malware in web and ? 1 Assess your customers’ current level of network protection 2 Assess your customers’ current level of endpoint protection 3 <click> Questions you should be asking your organization

Get Started Now Offer your customers a Proof-of-Value (POV) deployment 1 Establish a timeframe and installation date for POV 2 Determine hardware requirements and configuration changes 3 Select POV length and delivery 4 Schedule kick-off meeting 5 <click> Steps to better protection for your organization

Need Assistance Getting Cisco Express Security Specialized?
They will navigate with you, through the specialization requirements They host/sponsor the required AM & SE specialization classes Offering FREE* ASA 5506 Enable you to complete Security Network Assessments –$1,500 spiff available Call your Cisco Distributor *Partner can be eligible for a free ASA5506 if they complete ESS and are nominated by their distributor to receive a free ASA 5506 on NFR through CCW at .01 cost Network Assessments - Contact Information Avent Comstor D&H Ingram: Mulvaugh, Michael ScanSource: Tech Data

Sourcefire Resources Advanced Malware Protection
Cisco AMP Threat Grid - Appliances Cisco AMP Threat Grid - Cloud Cisco Advanced Malware Protection Virtual Private Cloud Appliance Cisco Advanced Malware Protection for Endpoints Cisco Advanced Malware Protection for Networks

Sourcefire Resources Customer Case Studies
Playlist of all Customer Testimonials on AMP John Chambers on Cisco Security and AMP SHSU.uses AMP for Endpoints Gartner Video-on-Demand: Strategies to Combat Advanced Threats featuring Cisco AMP ADP uses ThreatGrid

Sourcefire Resources AMP Demos /Videos
AMP + Threat Grid External Launch Video AMP for Endpoints Overview Video NSS Labs Breach Detection System test AMP for Networks Overview Video AMP on Techwise TV June 2015 AMP Threat Grid Overview Video AMP Overview in 4 Minutes: Meet Tom, the IT Security Guy

Sourcefire Resources Updated Data Sheets, At-a-Glances, Infographic, Whitepapers AMP Solution Overview AMP Solution AAG AMP for Networks: Data Sheet | AAG AMP for Endpoints: Data Sheet | AAG Security Everywhere Whitepaper (direct link) AMP Threat Grid Solution Overview AMP Threat Grid – Appliance: Data Sheet | AAG AMP Threat Grid – Cloud: Data Sheet Malware Infographic

Call to Action Invite Your Customers to the next CCE Event
Next event – Wednesday Nov 1:30 p.m. You've Already Been Hacked. Now What? Cisco Next-Gen Security Can Help Registration link | Invitation Invite your customers to attend and we will notify you if they do! Access registration links, replays at:

Join Us Next Week! Next Quick Hit Briefing
Big Data = Big $$$$ - Learn how to Monetize Big Data with Cisco Thursday Nov 5th, 2015 at 9:30 ET Check for registration links and replays

Appendix: How AMP Works

How Cisco AMP Works: Network File Trajectory Use Case
This use case gives a great view of a file being introduced, retrospective events occurring, quarantining, and future events being blocked. This is a great illustration of the correlation between end-point and network data. <click>

This is the actual program view, showing the path of a file across multiple devices. By hovering over an event you can see details like where the file came from originally, when was it downloaded, what type of even it is, the program name. All this information is just a mouse hover away. <click>

An unknown file is present on IP: 10. 4. 10
An unknown file is present on IP: , having been downloaded from Firefox Here we see the first event, a file with an unknown disposition is present on IP: <click>

At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
It enters the network by being transmitted from to and the file still has a disposition of unknown. We did not know it was bad. But we do know that it was introduced by a user using downloading this file over HTTP using the application Firefox a web-browser. That file then sat on <click>

Seven hours later the file is then transferred to a third device ( ) using an SMB application After a period of inactivity, the file transmits down to machine over SMB, the application protocol listed in the grey box. So it starts transmitting using internal Microsoft file-sharing protocols. This file has not yet been identified as malware and so its disposition is still unknown. <click>

The file is copied yet again onto a fourth device (10. 5. 60
The file is copied yet again onto a fourth device ( ) through the same SMB application a half hour later The file copies itself onto a fourth machine a half hour later using the same application protocol. <click>

The Cisco® Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately. At 6:14, We see a retrospective event turn up. So it appears for 4 machines at the same time. Our disposition thus far has gone from something we think is unknown to now known malware. So we've alerted each of these four machines and the defense center, that malware has been found in the environment to enable the user to track how that file propagated the around the network and understand the scope of the breech. <click>

At the same time, a device with the AMP for Endpoints connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware This machine here, , we can see that it has the AMP for Endpoints connector installed. We know this because immediately after that retrospective event was raised the endpoint quarantined file. So by having the connector on the endpoint you have the ability to clear up and remediate and quarantine that infection on the end-point near in real time <click>

Eight hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked. Later the file once again tried to move around the network. This time once again, by someone trying to send the file over HTTP using the application Firefox. This time, because the file is now known to be malware, this transmission was blocked. <click>

Cisco Quick Hit Briefing

Similar presentations

Presentation on theme: "Cisco Quick Hit Briefing"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Cisco Quick Hit Briefing

Similar presentations

Presentation on theme: "Cisco Quick Hit Briefing"— Presentation transcript:

Similar presentations

About project

Feedback