Post on 22-Sep-2020
Senad Aruc
Consulting Systems Engineer -Advanced Threats Group
"A false sense of security is worse than a true sense of insecurity"
“AMP like an accelerator to successful cybersecurity strategy”
Nils Roald
Advanced Threats - North Sales Leader
De
tectio
n
Network Security
Web Security
E-mail Security
Application Security
End Point Security
DATA on End-
Point
Prevention
Rem
edia
tion
Response
Exposure
Cybersecurity Operations
Risk
Cybersecurity operations best practice - defence in depth
AMP on Cisco® ASA Firewall, ISR and NGIPS
with Firepower Services
AMP on Web and Email Security Appliances
Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat
Linux for servers
and datacenters
Threat Grid
Malware Analysis + Threat
Intelligence Engine
AMP
TALOS
Known GOOD
Known BAD
Unknown
Defence in Depth is broken
SandBox
NextGen
Endpoint Intelligence
Cybersecurity problems (not the BOB and ALICE story anymore!)
SHA256
Sandbox Evade Capability
Malware on wire is not a real malware!
Malware on the wire Malware on the endpoint
or
AMPEnd-point
CSOC Generations.. 1, 2, 3, 4 and 4.5
Make the unknown, known
See once, block everywhere
Accelerate incident response
Network Security
Web Security
E-mail Security
End Point Security
DATA on End-Point
Cybersecurity Operations
7/24/365CSOC 4.5th Generation Architecture
AMP on Cisco® ASA Firewall, ISR and NGIPS
with Firepower Services
AMP on Web and Email Security Appliances
Windows OS
Android MobileVirtual
MAC OS
CentOS, Red Hat
Linux for servers
and datacenters
Threat Grid
Malware Analysis +
Threat Intelligence
Engine
TALOSTalos Public Threat
IntelligenceGovernment
Private Intelligence
Internal
Threat Intelligence
Accelerate incident response with AMP
Full disk forensics for malware? Why you need a full disk forensics?
Old School AMP
…when AMPcan do a process level forensics
?
Malware Alert Search in the SIEM
Verify the infection
Open a ticket to IT
User is in PTO
Full disk forensics
Find the malware
Format the device
Deliver to the user
Block
Endpoint Protection Platform (EPP) vs Endpoint Detection & Response (EDR)
AMP for Endpoints is more likely a hybrid of an EDR, EPP, and Next Gen EPP solution.
Critical cybersecurity controls NIST 2014CIS Critical Security Controls (V6.0) 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configuration of End-User Devices
4 Continuous Vulnerability Assessment & Remediation
5 Controlled Use of Administrative Privileges
6 Maintenance, Monitoring, and Analysis of Audit Logs
7 Email and Web Browser Protections
8 Malware Defense
9 Limitation & Control of Network Ports, Protocols, and Service
10 Data Recovery Capability
11 Secure Configuration of Network Devices
12 Boundary Defense
13 Data Protection
14 Controlled Access Based on Need to Know
15 Wireless Access Control
16 Account Monitoring and Control
17 Security Skills Assessment and Appropriate Training
18 Application Software Security
19 Incident Response and Management
20 Penetration Tests and Red Team Exercises
Critical cybersecurity controls mappings
OpenDNS Investigate
OpenDNS Investigate
OpenDNS Umbrella
Our Threat-Centric Model
DURINGDetect
Block
Defend
AFTERScope
Contain
Remediate
BEFOREDiscover
Enforce
Harden
ASA & AnyConnect
ISE & TrustSec
FirePOWER
WSA/ESA > CWS/CAS/CES Threat Grid
Advanced Malware Protection (AMP)
Cognitive Threat Analytics (CTA)
Visibility and Control Enables You To Effectively Prevent, Block, Detect, and RemediateAdvanced Threats
Threat
Intelligence
and Analytics
with
Point-in-Time
protection
with
Continuous Analysis and Retrospective Security
with
2. Control
1. Visibility See
Prevent
Before an attack
Detect
Block and
Contain
During an attack
Record,
Analyze, Detect
Remediate
After an attack
Continuous Analysis and Retrospective SecurityOnly AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition
Across all control points
To answer the questions that matter…
Take advantage of key capabilities
Web
WWW
EndpointsEmail Network
Mobile
Track it’s rate of progression
and how it spread
See what it is doingIdentify a threat’s
point of origin
See where it's been Surgically target
and remediate
Threat IntelligenceTALOS
1.6 million global sensors
100 TB of data received
per day
150 million+
deployed endpoints
Experienced team of
engineers, technicians,
and researchers
35% worldwide email traffic
13 billion web requests
24x7x365 operations
4.3 billion web blocks
per day
40+ languages
1.1 million incoming
malware samples per day
AMP Community
Private/Public
Threat Feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic
Analysis
10 million files/month
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open
Source Communities
AEGIS Program
Web
WWW
Endpoints DevicesNetworksEmail IPS
Automatic
updates
in real time
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001
1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00
Cisco®
Collective
Security
Intelligence
Cisco TALOS
•Internet
•Web
•Offline/USB drive
Bad Actors
Adobe, Flash Java etc.
Vulnerability
•Metasploit/Meterpreter
•Exploit-Kits
Exploitation
•Malware
•Ransomware
•RAT
•Trojan
Payload
Attack life cycle (Kill Chain)
•Compromised EP
•C&C trafficIOC
Searching for the data
Lateral Movem
ent
Data Exfiltration/Encryption
Last Stop
AMP for Endpoints
Real Time Vulnerability StatusAMP for Endpoints TETRA ETHOS
and SPERO AMP for Endpoints
AMP for endpoint Device
Trajectory
AMP for Net and Endpoints File
Trajectory
Cisco
TALOS
Introducing Threat Grid Everywhere
Suspicious
file
Analysis
report
Edge
Endpoints
Firewalls
& UTM
Security
Security
Analytics
Web
Security
Endpoint
Security
Network
Security
3rd Party
Integration
S E C U R I T Y
Security
monitoring
platforms
Deep Packet
Inspection
Gov, Risk,
Compliance
SIEM
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Cisco Security Solutions Network Security Solutions
Suspicious
file
Premium
content feedsSecurity Teams
Easily Identify and Prioritize threats
750+ behavioral indicators (and growing)• Malware families, malicious behaviors, and more
• Detailed description and actionable information
Prioritize threats with confidence• Enhance SOC analyst and IR knowledge and effectiveness
(and security product)
Easy-to-understand Threat Scores guide decision making
Examine files with context-driven analysis
“Outside looking in” approach
No presence in the VM
Proprietary techniques for static and dynamic analyses
Observing all changes to local host and network
communications
Downloadable analysis JSON, in minutes
Capability to pivot on any data element
Detailed report identifying key behavioral indicators and
threat score
Accurately identify attacks, in near real time
Static and Dynamic analysis execute automatically
F
R
S
Process with additional activity
File activity
Registry activity
Sample process
Legend:
Dynamic Analysis: Process tree visualization
Glovebox feature helps you interact (detonate) the malware in real time, recoding all activity in real movie for future playback and reporting.
The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense
AMP
Threat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat
Linux for servers
and datacenters
AMP on Web and Email Security AppliancesAMP on Cisco® ASA Firewall
with Firepower Services
AMP Private Cloud Virtual Appliance
AMP on Firepower NGIPS
Appliance
(AMP for Networks)
AMP on Cloud Web Security and Hosted Email
CWS/CTA
Threat Grid
Malware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower
Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be
launched from AnyConnect
Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat
Linux for servers
and datacenters
AMP on Cisco® ASA Firewall, ISR and NGIPS
with Firepower Services
AMP
TALOS
Play Books
Unified Control Center
MSSP
Process Level
AMP like an accelerator to successful cybersecurity strategy
Q/A
Senad Aruc .ılı.Cisco.ılı. Systems
CONSULTING SYSTEMS ENGINEER
Advanced Threats Group
AMP Northern Europe
Office: +31 203 57 25 95
Mobile: +31 6 11 46 57 65
E-Mail: saruc@cisco.com
AMP is rated number one
AMP achieved a 99.2% security effectiveness
rating in recent tests by NSS Labs.