It’s Time for a New Era in Advanced Threats Analysis

Threat Grid Data in Investigate

• What’s New in Investigate

• AMP Threat Grid Overview

• Investigate Overview

• More Information…

• Demo

Agenda

SIEM Alert for Edward, the Security Analyst

Phish-y Email

sso.anbtr.co

m

WHOIS Record Data Related IPs & ASNs Related Domains

Investigate allows you to pivot between data points

But is that enough?

What does a security analyst need during an investigation?

Source & destination IP

HTTP/DNS traffic

modifies registry entry

Intelligence about

attacker’s malware

Intelligence about

attacker’s infrastructure

AMP Threat Grid + OpenDNS Investigate

= Speed Up Response & Hunt Emergent Threats

OpenDNS Investigate

Intelligence about attacker’s infrastructure

AMP Threat Grid

Intelligence about

attacker’s makware

173.236.173.144Source & destination IP

likelybad.comHTTP/DNS traffic

Hosted in 22 countries

baddomain.com

162.17.5.245 suspicious.com

creates .exe file in admin directory

.doc file modifies

WINWORD.exe

modifies registry entry

other file system activity and

artifacts created

Request spike

Cisco AMP Threat Grid

Threat Grid

What is Cisco AMP?

AMP for

Endpoints

AMP for

Firewalls

AMP for

Email

AMP for

Web

AMP for

Private Cloud

Virtual

Appliance

AMP for

ISR

AMP for

Networks

AMP

Threat Grid

Dynamic and static malware analysis

for Endpoint/Network/Content

Block files & IP connections with point-in-time detection

Retrospectively act if disposition changes ? 2

3

1

Artifact

What is Cisco AMP?

How does Threat Grid work?

Suspicious file Analysis report Static Analysis

Threat Intelligence

Dynamic Analysis

AMP Threat GridSHA256:23e32ad4…

Introducing Threat Grid Everywhere

Suspicious

file

Analysis

report

Edge

Endpoints

Firewall

& UTM

Email

Security

Analytics

Web

Security

Endpoint

Security

Network

Security

3rd Party

Integration

S E C U R I T Y

Security

monitoring

platforms

Deep Packet

Inspection

Gov, Risk,

Compliance

SIEM

Dynamic Analysis

Static Analysis

Threat Intelligence

AMP Threat Grid

Cisco Security Solutions Network Security Solutions

Suspicious

file

Premium

content feedsSecurity Teams

Ransomware Execution

Investigate Overview

Investigate: The Most Powerful Way to Uncover Threats

DOMAINS, IPs & ASNs

CONSOLE SIEM, TIP

API

KEY POINTS

Intelligence about domains, IPs,

& malware across the Internet

Live graph of DNS requests and

other contextual data

Correlated against statistical

models

Discover & predict malicious

domains & IPs

Enrich security data with global

intelligence

HOW DOES IT HELP?

Speeds up incident

investigations and

decreases attacker

dwell time

See attackers’

infrastructure like

never before with

Internet-wide

visibility

Enables responders

to hunt, discover

critical attack

context, & use threat

intel effectively

Requests Per Day

80BCountries

160+

Daily Active Users

65MEnterprise Customers

12K

Our PerspectiveDiverse Set of Data &

Internet-Wide Visibility

StatisticalModels

• Identifies other domains looked up in

rapid succession of a given domain

• Correlations uncover other domains

related to an attack

“C-Rank” Model (co-occurrences)

• Detect domain names that spoof

brand and tech terms in real-time

“NLP-Rank” Model(Natural Language Processing & AS Matching)

• Live DGA• SecureRank

Many More Models

• Geo-Diversity• Geo-Distance

Earliest & Most Accurate Predictions

& Classifications

• Detect domains with

sudden spikes in traffic

• Finds domains involved in active attacks

“SP-Rank” Model (spike rank)

• Analyzes how servers are hosted to

detect future malicious domains

• Identifies steps that

precede malicious activity

Predictive IP Space Monitoring

1M+ Live Events

Per Second

FULLY AUTOMATED

A Single, Correlated Source of Intelligence

INVESTIGATE

WHOIS record data

ASN attribution

IP geolocation

Domain & IP reputation scores

Malware file analysis

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

Investigate + Threat Grid = most complete threat intelligence

INTERNET INFRASTRUCTURE INTELLIGENCE

research domains, IPs, ASNs used in attacks and proactively uncover future threats

Investigate

DNSBGP

ASNIP

DOMAIN

MALWARE FILE INTELLIGENCE

static & dynamic analysis to learn how the malware file behaves on the system

Artifacts created

Registry & system changes

Network connections made

IOCs identified

AMP Threat Grid

More information…

“I don’t have TG yet, what can I see in Investigate?”

Malware samples associated

with a domain

Threat Score &

AV Results (better attribution)Network Connections

Behavioral Indicators

1

2

3

4

“I already have TG, what’s the added benefit for me?”

Search for artifacts (non-TG

users can only view samples)

See additional TG data in

Investigate (associated

artifacts)

1 2

Pivot from Investigate into

Threat Grid during

investigations

3

Demo

• With this offer, you will:

• Gain valuable information on your network including critical attacks

• Reduce risk and make security a growth engine for your business

• This offer is valid through December 29th, 2016 in Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxemburg, Netherlands, Norway, Spain, Sweden, Switzerland and United Kingdom.

• For more information and to request a Threat Scan POV, go to www.cisco.com/go/threatscanpov