Guillermo GonzálezSecurity Systems EngineerOctubre 2017
Advanced Malware Protection
Cisco Security
The New Security Model
Attack Continuum
Data Center/Servers EndpointsEmail and Web Network Mobile
Before During AfterBefore
Discover EnforceHarden
DuringDetect Block
Defend
AfterScope
ContainRemediate
Threat intelligence and analytics
Point-in-Time detection
Retrospective security and continuous analysis
Gain security backed by the most advanced threat intelligence
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I000I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
24 � 7 � 365 Operations
100 TBOf Data Received Daily
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
MILLIONSOf Telemetry Agents
4Global Data Centers
Over 100Threat Intelligence Partners
250+Full Time Threat Intel Researchers
Globalscanning
30 years building the world’s networks
WEB
ENDPOINT
CLOUD
VIRTUAL
NETWORK
Cisco Advanced Malware ProtectionBuilt on Unmatched Collective Security Intelligence
§ 1.6 million global sensors§ 100 TB of data received
per day§ 150 million+
deployed endpoints§ Team of engineers,
technicians, and researchers
§ 35% worldwide email traffic
§ 13 billion web requests§ 24x7x365 operations§ 4.3 billion web blocks
per day§ 40+ languages§ 1.1 million incoming
malware samples per day§ AMP Community§ Private/Public
Threat Feeds
§ Talos Security Intelligence§ AMP Threat
Grid Intelligence§ AMP Threat Grid Dynamic
Analysis 10 million files/month
§ Advanced Microsoft and Industry Disclosures
§ Snort and ClamAV Open Source Communities
§ AEGIS Program
Web
WWW
Endpoints DevicesNetworksEmail IPSAutomatic Updates in real time
101000 0110 00 0111000 111010011 101 1100001 1101100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00 Cisco®
Collective Security
IntelligenceAMP Threat
Intelligence Cloud
AMPAdvanced Malware Protection
AMP Plan A: The Prevention AMP Plan B: Retrospective Security
1-to-1 Signatures
Ethos (Polimorph)
Spero (Machine Learn)
IOCs
DynamicAnalysis
AdvancedAnalytics
Device FlowCorrelation
All Methods < 100% Detection
Reputation Filtering Behavioral Detection
Continuous Analysis and Retrospective Security
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioralIndications
of Compromise
Threat Hunting
Retrospective Detection
Continuous
www.cisco.com/go/amp
Cisco AMPCisco AMP gives you the answers for the most common questions after a Breach
Looks ACROSS the organization and answers:• When did it happen?• Where is patient 0? • What systems were infected?• What was the entry point?• What else did it bring in?
The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense
AMPThreat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat Linux for servers and datacenters
AMP on Web and Email Security AppliancesAMP on Cisco® NGFW
Firewalls
AMP Private Cloud Virtual Appliance
AMP for Networks (AMP on Firepower NGIPS
Appliance bundle)
AMP on Cloud Web Security and Hosted Email
CWS/CTA
Threat GridMalware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from AnyConnect
Cisco AMPAMP Everywhere
INTERNET
ON NETWORK
ALLOTHER
TRAFFICWEB
TRAFFICEMAIL
TRAFFIC
INTERNETALL
OTHERTRAFFIC
WEBTRAFFIC
EMAILTRAFFIC
OFF NETWORK
ASA / FirepowerMerakiblocks inline by IP, URLor packet
ESA/CESblocks by sender
or content
WSA/CWSblocks by URL or content via proxy
ESA/CESblocks by sender
or content
CWSblocks by URL or content via proxy
OpenDNSblocks by domainas well as IP or URL
OpenDNSblocks by domainas well as IP or URL
How it works
Internet AMP Connector
Check hashAMP
ThreatGrid Connector
Submit file
NGFWMalwareSandbox
SecurityWebProxy
NGIPSNGIPS
Cisco ESA Email
Security Appliance with AMP
MailServer
FileServer
Cisco FMC
LogManagement
VulnerabilityManagement
Users NetworkSOC / NOC
Admin Network
DMZ Production
DMZ Security
DMZ Security 2
8A8116429189D631FC0059627....
CLEANUNKNOWN
AMPThreat Intelligence
Cloud
Score > 90
MALICIOUSAMP on ESA
Score < 91MALICIOUS
Cisco Email Security
ReportingMessage Track
Management
Allow Warn
Admin
HQ
Anti-Spam and
Anti-Virus
Mail Flow Policies Data Loss
Protection Encryption
Before DuringX XXX
Inbound Email
Outbound Email
CiscoAppliance Virtual
Talos
Block Partial Block
Outbound Liability
BeforeAfterDuring
Tracking User click Activity
(Anti-Phish)
File Sandboxing & Retrospection
X X XXX
Cloud
ContentControls
X
EmailReputation
AcceptanceControls File
ReputationAnti-SpamAnti-Virus Outbreak
Filters
X
Mail FlowPolicies Graymail
ManagementSafe Unsubscribe
X
Anti-PhishThreatGrid URL Rep & Cat
AMP with ThreatGrid
Starting with the 9.5 version of code, public cloud and local sandboxing is supported
Cisco AMP ThreatGrid
ESAAMP
connector
Local AV Scanners
File Reputation Query
Cisco TalosAMP Cloud
Qualified File, upload for
Sandboxing
AMP feedback loop only for
Malicious Files
Sandbox connector
AMP Client
Local Cache
Heartbeat retrospective
Pre-Classification
Disposition QueryUpdate the Cache with disposition
value & upload_action 2
AMP for NetworksPlan B: Security Retrospective
www.cisco.com/go/amp
These applications are affected
What
The breach affected these areas
Where
This is the scope of exposure over time
When
Here is the origin and progression of the threat
How
Focus on these users first
Who
AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage
Top Related