Senad Aruc

Consulting Systems Engineer -Advanced Threats Group

"A false sense of security is worse than a true sense of insecurity"

“AMP like an accelerator to successful cybersecurity strategy”

Nils Roald

Advanced Threats - North Sales Leader

De

tectio

n

Network Security

Web Security

E-mail Security

Application Security

End Point Security

DATA on End-

Point

Prevention

Rem

edia

tion

Response

Exposure

Cybersecurity Operations

Risk

Cybersecurity operations best practice - defence in depth

AMP on Cisco® ASA Firewall, ISR and NGIPS

with Firepower Services

AMP on Web and Email Security Appliances

Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat

Linux for servers

and datacenters

Threat Grid

Malware Analysis + Threat

Intelligence Engine

AMP

TALOS

Known GOOD

Known BAD

Unknown

Defence in Depth is broken

SandBox

NextGen

Endpoint Intelligence

Cybersecurity problems (not the BOB and ALICE story anymore!)

SHA256

Sandbox Evade Capability

Malware on wire is not a real malware!

Malware on the wire Malware on the endpoint

or

AMPEnd-point

CSOC Generations.. 1, 2, 3, 4 and 4.5

Make the unknown, known

See once, block everywhere

Accelerate incident response

Network Security

Web Security

E-mail Security

End Point Security

DATA on End-Point

Cybersecurity Operations

7/24/365CSOC 4.5th Generation Architecture

AMP on Cisco® ASA Firewall, ISR and NGIPS

with Firepower Services

AMP on Web and Email Security Appliances

Windows OS

Android MobileVirtual

MAC OS

CentOS, Red Hat

Linux for servers

and datacenters

Threat Grid

Malware Analysis +

Threat Intelligence

Engine

TALOSTalos Public Threat

IntelligenceGovernment

Private Intelligence

Internal

Threat Intelligence

Accelerate incident response with AMP

Full disk forensics for malware? Why you need a full disk forensics?

Old School AMP

…when AMPcan do a process level forensics

?

Malware Alert Search in the SIEM

Verify the infection

Open a ticket to IT

User is in PTO

Full disk forensics

Find the malware

Format the device

Deliver to the user

Block

Endpoint Protection Platform (EPP) vs Endpoint Detection & Response (EDR)

AMP for Endpoints is more likely a hybrid of an EDR, EPP, and Next Gen EPP solution.

Critical cybersecurity controls NIST 2014CIS Critical Security Controls (V6.0) 1 Inventory of Authorized and Unauthorized Devices

2 Inventory of Authorized and Unauthorized Software

3 Secure Configuration of End-User Devices

4 Continuous Vulnerability Assessment & Remediation

5 Controlled Use of Administrative Privileges

6 Maintenance, Monitoring, and Analysis of Audit Logs

7 Email and Web Browser Protections

8 Malware Defense

9 Limitation & Control of Network Ports, Protocols, and Service

10 Data Recovery Capability

11 Secure Configuration of Network Devices

12 Boundary Defense

13 Data Protection

14 Controlled Access Based on Need to Know

15 Wireless Access Control

16 Account Monitoring and Control

17 Security Skills Assessment and Appropriate Training

18 Application Software Security

19 Incident Response and Management

20 Penetration Tests and Red Team Exercises

Critical cybersecurity controls mappings

OpenDNS Investigate

OpenDNS Investigate

OpenDNS Umbrella

Our Threat-Centric Model

DURINGDetect

Block

Defend

AFTERScope

Contain

Remediate

BEFOREDiscover

Enforce

Harden

ASA & AnyConnect

ISE & TrustSec

FirePOWER

WSA/ESA > CWS/CAS/CES Threat Grid

Advanced Malware Protection (AMP)

Cognitive Threat Analytics (CTA)

Visibility and Control Enables You To Effectively Prevent, Block, Detect, and RemediateAdvanced Threats

Threat

Intelligence

and Analytics

with

Point-in-Time

protection

with

Continuous Analysis and Retrospective Security

with

2. Control

1. Visibility See

Prevent

Before an attack

Detect

Block and

Contain

During an attack

Record,

Analyze, Detect

Remediate

After an attack

Continuous Analysis and Retrospective SecurityOnly AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition

Across all control points

To answer the questions that matter…

Take advantage of key capabilities

Web

WWW

EndpointsEmail Network

Mobile

Track it’s rate of progression

and how it spread

See what it is doingIdentify a threat’s

point of origin

See where it's been Surgically target

and remediate

Threat IntelligenceTALOS

1.6 million global sensors

100 TB of data received

per day

150 million+

deployed endpoints

Experienced team of

engineers, technicians,

and researchers

35% worldwide email traffic

13 billion web requests

24x7x365 operations

4.3 billion web blocks

per day

40+ languages

1.1 million incoming

malware samples per day

AMP Community

Private/Public

Threat Feeds

Talos Security Intelligence

AMP Threat Grid Intelligence

AMP Threat Grid Dynamic

Analysis

10 million files/month

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open

Source Communities

AEGIS Program

Web

WWW

Endpoints DevicesNetworksEmail IPS

Automatic

updates

in real time

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

101000 0110 00 0111000 111010011 101 1100001

1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00

Cisco®

Collective

Security

Intelligence

Cisco TALOS

•Internet

•Web

•Email

•Offline/USB drive

Bad Actors

Adobe, Flash Java etc.

Vulnerability

•Metasploit/Meterpreter

•Exploit-Kits

Exploitation

•Malware

•Ransomware

•RAT

•Trojan

Payload

Attack life cycle (Kill Chain)

•Compromised EP

•C&C trafficIOC

Searching for the data

Lateral Movem

ent

Data Exfiltration/Encryption

Last Stop

AMP for Endpoints

Real Time Vulnerability StatusAMP for Endpoints TETRA ETHOS

and SPERO AMP for Endpoints

AMP for endpoint Device

Trajectory

AMP for Net and Endpoints File

Trajectory

Cisco

TALOS

Introducing Threat Grid Everywhere

Suspicious

file

Analysis

report

Edge

Endpoints

Firewalls

& UTM

Email

Security

Security

Analytics

Web

Security

Endpoint

Security

Network

Security

3rd Party

Integration

S E C U R I T Y

Security

monitoring

platforms

Deep Packet

Inspection

Gov, Risk,

Compliance

SIEM

Dynamic Analysis

Static Analysis

Threat Intelligence

AMP Threat Grid

Cisco Security Solutions Network Security Solutions

Suspicious

file

Premium

content feedsSecurity Teams

Easily Identify and Prioritize threats

750+ behavioral indicators (and growing)• Malware families, malicious behaviors, and more

• Detailed description and actionable information

Prioritize threats with confidence• Enhance SOC analyst and IR knowledge and effectiveness

(and security product)

Easy-to-understand Threat Scores guide decision making

Examine files with context-driven analysis

“Outside looking in” approach

No presence in the VM

Proprietary techniques for static and dynamic analyses

Observing all changes to local host and network

communications

Downloadable analysis JSON, in minutes

Capability to pivot on any data element

Detailed report identifying key behavioral indicators and

threat score

Accurately identify attacks, in near real time

Static and Dynamic analysis execute automatically

F

R

S

Process with additional activity

File activity

Registry activity

Sample process

Legend:

Dynamic Analysis: Process tree visualization

Glovebox feature helps you interact (detonate) the malware in real time, recoding all activity in real movie for future playback and reporting.

The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense

AMP

Threat Intelligence

Cloud

Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat

Linux for servers

and datacenters

AMP on Web and Email Security AppliancesAMP on Cisco® ASA Firewall

with Firepower Services

AMP Private Cloud Virtual Appliance

AMP on Firepower NGIPS

Appliance

(AMP for Networks)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat Grid

Malware Analysis + Threat

Intelligence Engine

AMP on ISR with Firepower

Services

AMP for Endpoints

AMP for Endpoints

Remote Endpoints

AMP for Endpoints can be

launched from AnyConnect

Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat

Linux for servers

and datacenters

AMP on Cisco® ASA Firewall, ISR and NGIPS

with Firepower Services

AMP

TALOS

Play Books

Unified Control Center

MSSP

Process Level

AMP like an accelerator to successful cybersecurity strategy

Q/A

Senad Aruc .ılı.Cisco.ılı. Systems

CONSULTING SYSTEMS ENGINEER

Advanced Threats Group

AMP Northern Europe

Office: +31 203 57 25 95

Mobile: +31 6 11 46 57 65

E-Mail: saruc@cisco.com

AMP is rated number one

AMP achieved a 99.2% security effectiveness

rating in recent tests by NSS Labs.