Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for...
Transcript of Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for...
![Page 1: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/1.jpg)
Timothy Snow, CCIE
Consulting Systems Engineer
Cisco Solutions Summit
Integrated Threat Defense
![Page 2: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/2.jpg)
Complicit
Users
Sophisticated
Attackers
Complex
Geopolitic
s
Boardroom
Engagement
The challenges come from every direction
Misaligned
Policies
Dynamic
Threats
Defenders
![Page 3: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/3.jpg)
What we want What we do What we get
Integrated Threat Defense…..
![Page 4: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/4.jpg)
We read about what happens to everyone else…..
![Page 5: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/5.jpg)
350% increase in countries experiencing
major data breaches
Continuing rise in data breaches in year
over year
60% of data is stolen within hours
52% of breaches remain undiscovered for
months
100% of companies connect to domains
that host malicious files or services
New Threats and New Security Realities
![Page 6: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/6.jpg)
Multiple Point Solutions
Your security options have been limited
Difficult integrations
leave security gaps
Costly & time-
consuming setup and
support
Unified
Threat
Management
(UTM)
Stateful
Firewall
VPN
Malware
Analysis
Limited threat
effectiveness
![Page 7: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/7.jpg)
“There is no castle so strong that it cannot be overthrown by money.” – Cicero
![Page 8: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/8.jpg)
T h r e a t
i n
p l a i n
s i g h t
Visibility To Detect, Understand, and Stop Threats
s
h i d d e n
![Page 9: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/9.jpg)
Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C
Servers
Network Servers
Users
File transfers
Web
applications
Application
protocols
Threats
Cisco FirePOWER NGFW/NGIPS offers enhanced visibility
Typical IPS
Typical NGFW
Cisco ASA with FirePOWER Services
Before After
![Page 10: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/10.jpg)
Cisco FireSIGHT Provides Enhanced Visibility for Accurate Threat Detection and Adaptive Defense
![Page 11: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/11.jpg)
Bandwidth: Recover Lost Bandwidth
Mobile: Enforce BYOD Policy
Social: Security and DLP
Security: Reduce Attack Surface
Visibility Enables Application Control
![Page 12: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/12.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Dynamic Security
Control
Multi-Vector
Correlation
Retrospective
Security
Context and
Threat Correlation Context and Threat Correlation
Priority 1
Priority 2
Priority 3
Impact Assessment
![Page 13: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/13.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Dynamic Security
Control
Multi-Vector
Correlation
Retrospective
Security
Context and
Threat Correlation
Adapt Policy to Risks
WWW WWW WWW http://
http:// WWW
Dynamic Security Control
WEB
![Page 14: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/14.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Dynamic Security
Control
Multi-Vector
Correlation
Retrospective
Security
Context and
Threat Correlation
PDF Mail
Admin
Request
Admin
Request
Multi-vector Correlation
Early Warning for Advanced Threats
Host A
Host B
Host C
3 IoCs
5 IoCs
![Page 15: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/15.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Dynamic Security
Control
Multi-Vector
Correlation
Retrospective
Security
Context and
Threat Correlation
PDF Mail
Admin
Request
Admin
Request
Multi-vector Correlation
Early Warning for Advanced Threats
Host A
Host B
Host C
3 IoCs
5 IoCs
Malware backdoors
Exploit kits
Web app attacks
CnC connections
Admin privilege escalations
Connections
to known CnC IPs
Malware detections
Office/PDF/Java
compromises
Malware executions
Dropper infections
![Page 16: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/16.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum
Dynamic Security
Control
Multi-Vector
Correlation
Retrospective
Security
Context and
Threat Correlation Retrospective Security
Shrink Time between Detection and Cure
![Page 17: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/17.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
AMP Offers Point-in-Time and Continuous Protection
• Advanced Malware Protection
Retrospective Security
Continuous Analysis
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous feed
Web WWW
Endpoints
Network Email
Devices IPS
Point-in-Time Protection
File Reputation & Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
![Page 18: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/18.jpg)
C97-732297-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Threat Scoring
Prioritize threats with confidence 300+ behavioral indicators (and growing)
Malware families, malicious behaviors, and more
Detailed description and actionable information
Enhance SOC analyst and IR knowledge and
effectiveness (and security product)
![Page 19: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/19.jpg)
Trajectory Behavioral
Indications
of Compromise
Breach
Hunting
Continuous
Analysis
Attack Chain
Weaving
Retrospective Security Is Built Upon…
Performs analysis
the first time a file is
seen 1
Persistently
analyzes the file
over time to see if
the disposition is
changed
2
Giving unmatched visibility into
the path, actions, or
communications that are
associated with a particular
piece of software
3
![Page 20: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/20.jpg)
![Page 21: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/21.jpg)
An unknown file is present
on IP: 10.4.10.183, having
been downloaded from
Firefox
![Page 22: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/22.jpg)
At 10:57, the unknown file is
from IP: 10.4.10.183 to
IP: 10.5.11.8
![Page 23: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/23.jpg)
Seven hours later the file
is then transferred to a
third device (10.3.4.51)
using an SMB application
![Page 24: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/24.jpg)
The file is copied yet
again onto a fourth device
(10.5.60.66) through the
same SMB application a
half hour later
![Page 25: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/25.jpg)
The Cisco TALOS Intelligence
Cloud has learned this file is
malicious and a retrospective
event is raised for all four
devices immediately.
![Page 26: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/26.jpg)
At the same time, a device with
the FireAMP endpoint
connector reacts to the
retrospective event and
immediately stops and
quarantines the newly detected
malware
![Page 27: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/27.jpg)
8 hours after the first
attack, the Malware tries
to re-enter the system
through the original point
of entry but is recognized
and blocked.
![Page 28: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/28.jpg)
Reduce clean-up time from weeks
to hours with AMP everywhere
Identify malware and suspicious
files through behavioral indicators
Eliminate infections by turning back
the clock
Continuous analysis + retrospective security
Remediate quickly after a breach Advanced Malware Protection (AMP)
![Page 29: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/29.jpg)
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
600
engineers, technicians,
and researchers
35% worldwide email traffic
13 billion
web requests
24x7x365 operations
4.3 billion web blocks per day
40+ languages
1.1 million incoming malware samples
per day
Cisco AMP community
Advanced Microsoft
and industry disclosures
Snort and ClamAV open source
communities
AEGIS™ program
Private and public threat feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
Cisco AMP Threat Grid
Dynamic Analysis
10 million files/month
Cisco Security Intelligence to Battle Advanced Threats Built on unmatched collective security analytics
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00
Threat
Intelligence Research
Response Cisco Talos
Collective
Security Intelligence
Email AMP Web Network NGIPS NGFW
WWW
Pervasive Across the Portfolio
![Page 30: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/30.jpg)
Defend Your Network – Cisco NG FW/IPS/AMP System #1 in Detection, #1 in Performance, #1 in Vulnerability Coverage, 100% Evasion Free
"For the past six years, Cisco (Sourcefire) has consistently achieved excellent results in security effectiveness based on our real-world evaluations of exploit
evasions, threat block rate and protection capabilities.” Vikram Phatak, CTO NSS Labs, Inc.
![Page 31: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/31.jpg)
Cisco NGFW / NGIPS Offerings
FirePOWER NGIPS
• Best-of-Breed NGIPS for
Advanced Threat Protection
• Scalability up to 60Gbps+
• Application and Identity Aware
• Lower TCO Through Automation
Embedded Advanced
Malware Prevention (AMP)
• Only threat-focused NGFW to cover full attack continuum
• Available on existing ASA-x platforms
• Integrated NGIPS + AMP
• Ultra-Granular Policies: App, Identity, Risk, Business Relevance
• Class-leading advanced malware solution
• File reputation and sandboxing
• Malware Forensics reports
• Malware and file Retrospection
• Cisco AMP Everywhere ensures pervasive coverage
Appliance Virtual Flexible Deployment Cloud
ASA w/ FirePOWER Services Cisco NGFW
Common NGIPS and AMP code base
Common Threat Management– FireSIGHT
Common Collective Security Intelligence
![Page 32: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/32.jpg)
Why Choose FirePOWER For Integrated Threat Defense?
(NGFW/NGIPS)
Supported by Talos, Cisco’s threat intelligence organization
BEFORE AFTER DURING
Discover threats and enforce
security policies
Detect, block, and defend
against attacks
Remediate breaches and
prevent future attacks
![Page 33: Integrated Threat Defense - Cisco...Automated, Integrated Threat Defense Superior Protection for Entire Attack Continuum Dynamic Security Control Multi-Vector Correlation Retrospective](https://reader034.fdocuments.in/reader034/viewer/2022052611/5f07e0f27e708231d41f3567/html5/thumbnails/33.jpg)