Cisco - Cisco Sourcefire AMP

Transcription

Cisco - Cisco Sourcefire AMP
Open your mobility device and go to PollEv.com/markburke531
Don’t Worry – Its Secure!!!
Cisco Advanced
Malware Protection
Mark Burke
Systems Engineer
April 2016
Remaining Cisco Sessions Today
Time
Option 1
Lunch
Keynote
Good Security by Design
1:00
2:00
3:00
Option 2
Ronnie Scott
IoT in Action: The latest use cases in
Flow Analysis – The Missing Link in your Security
Digital Manufacturing, Digital
Architecture
Transportation, Digital Energy & Digital
Rob Bleeker
Workspaces
Dave Jirku
Cisco HyperFlex – Next Generation
Multi-Gigabit Access
Hyperconverged Infrastructure
Matt McColl
Patrick LeMaistre
ACI – Software Defined Networks for
Understanding the Cisco Collaboration Cloud
the Rest of Us
Cesar Barrero
Ronnie Scott
Video
Phishing, Low
Sophistication
Viruses
1990-2000
Boot Virus – Macro Virus
Hacking Becomes
an Industry
Worms
2000-2005
DDoS, Trojans, Back Doors, Auto Infection
Sophisticated
Attacks, Complex
Landscape
Spyware and Rootkits
2005-Today
Spyware, Malware, Adware
APTs Cyberware
Today +
Advanced Persistent Threats
Realities of Modern Threats
IPS
Highlights
One in four breaches are caused
by malicious insiders
IDS
95% of all cybercrime is triggered
by a user clicking on a malicious
link disguised to be legitimate
FW
Two in three breaches exploit
weak or stolen passwords
External
Internal
With lateral movement of advanced
persistent threats, even external attacks
eventually become internal threats
Malware Will Get Into Your Environment
95%
60%
of large companies
targeted by malicious traffic
of data stolen in hours
$5.9M
65%
Average cost of a breach in
the United States
of organizations say attacks
evaded existing preventative
security tools
Once Inside, Organizations Struggle to Deal
With It
33%
55%
of organizations take 2+
years to discover breach
of organizations unable to
determine cause of a breach
54%
45 days
of breaches remain
undiscovered for months
Average time to resolve
a cyber-attack
To Defend Against These Advanced Threats Requires
Greater Visibility and Control Across the Full Attack
Continuum
Attack Continuum
Before
Discover
Before
Enforce
Harden
Threat intelligence
and analytics
Email and Web
Data Center
During
During
Detect
Block
Defend
After
Scope
After
Contain
Remediate
Retrospective
security and
continuous analysis
Point-in-Time
detection
Network
Endpoints
Mobile
Cisco Advanced Malware Protection
Built on Unmatched Collective Security Intelligence
Cisco®
1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
Collective
101000
0110
00
0111000
111010011
101
1100001
110 101000 0110 00 0111000 111010011
101 1100001
Security
AMP Threat
1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1100001110001110 1001 1101 1110011 0110011 10100
Intelligence
Intelligence Cloud
WWW
Email
Endpoints
Web
Networks
IPS
1.6 million global sensors
13 billion web requests
Talos Security Intelligence
100 TB of data received
per day
24x7x365 operations
AMP Threat
Grid Intelligence
150 million+
deployed endpoints
Team of engineers,
technicians,
and researchers
35% worldwide email traffic
4.3 billion web blocks
per day
40+ languages
1.1 million incoming
malware samples per day
AMP Community
Private/Public
Threat Feeds
Automatic
Updates in
real time
Devices
AMP Threat Grid Dynamic
Analysis 10 million
files/month
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open
Source Communities
AEGIS Program
AMP
Advanced Malware Protection
Threat Grid Unifies Analysis and Threat
Intelligence to Deliver…
Automated Analysis
Context Rich
Analytics
Seamless Integration
In Addition to Threat Intelligence, AMP Delivers
Point-in-Time Protection
Retrospective Security
PLAN A
File Reputation, Sandboxing, and Behavioral Detection
Unique to Cisco® AMP
Continuous Analysis
Point-in-Time Detection
Cisco AMP Defends With Reputation
Filtering And Behavioral Detection
Fuzzy
Finger-printing
Cisco Collective Security Intelligence
Continuous Protection
Reputation Filtering
One-to-One
Signature
Retrospective Security
Behavioral Detection
Machine
Learning
Indications
of Compromise
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
Point-in-Time Detection
Reputation Filtering Is Built On
Three Features
Reputation Filtering
Unknown file is encountered,
1
One-to-One
Signature
File is not known to be malicious
and is admitted
3
Unknown file is encountered,
signature is analyzed, sent
to cloud
4
Cisco Collective Security Intelligence
Behavioral Detection
signature is analyzed, sent
to cloud
2
Fuzzy
Finger-printing
Retrospective Security
Machine
Learning
Indications
of Compromise
File signature is known to be
malicious and is prevented from
entering the system
Collective Security
Intelligence Cloud
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
Point-in-Time Detection
Reputation Filtering Is Built On
Three Features
One-to-One
Signature
1
Fingerprint of file is analyzed
and determined to be malicious
2
Malicious file is not allowed entry
3
Polymorphic form of the same file
tries to enter the system
4
The fingerprints of the two files are
compared and found to be similar
to one another
Fuzzy
Finger-printing
5
Machine
Learning
Indications
of Compromise
Polymorphic malware is denied
entry based on its similarity to
known malware
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
Point-in-Time Detection
Reputation Filtering Is Built On
Three Features
1
Metadata of unknown file is sent
to the cloud to be analyzed
2
Metadata is recognized as
possible malware
3
File is compared to known
malware and is confirmed
as malware
4
One-to-One
Signature
Fuzzy
Finger-printing
Machine 5
Learning
6
of Compromise
Analysis
File is confirmed as a clean file
after being compared to a
similarly clean file
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Machine Learning Decision Tree
Metadata of a second unknown
file is sent to cloud to
be analyzed
Metadata is similar to known
Indications
clean
file, possibly cleanDynamic
Retrospective Security
Possible
malware
Advanced
Analytics
Possible
clean file
Flow
Device
Correlation
Confirmed
malware
Confirmed
clean file
Confirmed
malware
Confirmed
clean file
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
Fuzzy
Finger-printing
Machine
Learning
1
File of unknown disposition
is encountered
2
File replicates itself and this
information is communicated to
the cloud
3
File communicates with malicious
IP addresses or starts
downloading files with known
malware disposition
4
Combination of activities indicates
a compromise and the behavior is
reported to the cloud and
AMP
client
Advanced
Dynamic
Indications
of Compromise
5
Analysis
Analytics
These indications are prioritized
and reported to security team as
possible compromise
Device Flow
Correlation
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
1
Dynamic Analysis Engine
executes unknown files in
on-premises or cloud
sandboxes powered by
Cisco® AMP Threat Grid
2
Two files are determined to
be malware, one is
confirmed as clean
Collective Security
Intelligence Cloud
Machine
Learning
Indications
of Compromise
Dynamic
Analysis
3
AdvancedCloud isDevice Flow
Intelligence
updated
with analysisCorrelation
Analytics
results, and retrospective
alerts are broadcast to users
AMP Threat Grid Sandbox
Retrospective Security
Cisco Collective Security Intelligence
Collective
User Base
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
1
Receives information regarding
software unidentified by Reputation
Filtering appliances
2
Receives context regarding
unknown software from Collective
User Base
3
4
Indications
Compromise
Dynamic
Analysis
Advanced
Analytics
Analyzes file in light of the
information and context provided
Identifies the advanced malware
and communicates the new
signature to the user base
Device Flow
Correlation
Retrospective Security
Cisco Collective Security Intelligence
Collective Security
Intelligence Cloud
Cisco® AMP Threat Grid
Analysis
Collective
User Base
Point-in-Time Detection
Behavioral Detection Is Built On
Four Features
1
Dynamic
Analysis
Advanced
Analytics
Device Flow Correlation monitors
communications of a host on the
network
2
Two unknown files are seen
communicating with a particular
IP address
3
One is sending information to the
IP address, the other is receiving
commands from the IP address
4
Collective Security Intelligence
Cloud recognizes the external IP
as a confirmed, malicious site
5
Unknown files are identified
as malware because
of the association
Device Flow
Correlation
Retrospective Security
Cisco Collective Security Intelligence
IP: 64.233.160.0
Collective Security
Intelligence Cloud
Cisco AMP Delivers A Better Approach
Point-in-Time Protection
Retrospective Security
PLAN B
File Reputation, Sandboxing, and Behavioral Detection
Unique to Cisco® AMP
Continuous Analysis
Point-in-Time Detection
Cisco AMP Defends With
Retrospective Security
Continuous
Analysis
Attack Chain
Weaving
Behavioral
Indications
of Compromise
Retrospective Security
Cisco Collective Security Intelligence
Trajectory
Elastic
Search
Point-in-Time Detection
Retrospective Security
Cisco Collective Security Intelligence
Retrospective Security Is Built On…
Continuous
Analysis
Performs analysis
the Chain
first time a file
1 Attack
Weaving
is seen
Persistently
analyzes the file
Behavioral
over time toTrajectory
see if
2
Indications the disposition
of Compromise
is changed
3
Giving unmatched visibility into
the path, actions, or
Breach
communications
that are
Hunting
associated with a particular
piece of software
Point-in-Time Detection
Retrospective Security
Cisco Collective Security Intelligence
Retrospective Security Is Built On…
Uses retrospective
capabilities in
three ways:
1
File Trajectory
2
Process Monitoring
3
Communications Monitoring
Attack Chain
Weaving
Continuous
Analysis
Attack Chain
Weaving
analyzes the data
collected by File
Behavioral
Trajectory, Process,
Indications
and Communication
of Compromise
Monitoring
to
provide a new level
of threat intelligence
File Trajectory
Communications
Monitoring
Process
Monitoring
records the trajectoryBreach
of the software from device to
Trajectory
monitorsthe
which
performing
monitors
I/O applications
activity of allare
devices
on theactions
system
device
Hunting
Point-in-Time Detection
Retrospective Security
Cisco Collective Security Intelligence
Retrospective Security Is Built On…
Behavioral Indications of Compromise uses continuous analysis and retrospection
to monitor systems for suspicious and unexplained activity… not just signatures!
Continuous
Analysis
Attack Chain
Weaving
Behavioral
Trajectory
An unknown
file
Indications 1 is admitted into
of Compromise
the network
2
Breachfile
The unknown
Hunting
copies itself to
multiple machines
Duplicates
3 content from
the hard drive
Sends duplicate
4 content to an
unknown IP address
Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an action to
look for across your environment rather than a file fingerprint or signature
Point-in-Time Detection
Retrospective Security
Cisco Collective Security Intelligence
Retrospective Security Is Built On…
1
Unknown file is downloaded
to device
2
Fingerprint is recorded and sent
to cloud for analysis
File Trajectory
Collective Security
Intelligence Cloud
The unknown file travels across
the network to different devices
3
4
Attack Chain
Weaving
Behavioral
Indications
of Compromise
Network
Mobile
Virtual Machine
File trajectory automatically
records propagation of the file
across the network
Sandbox analytics determines
the file is malicious and notifies
all devices
Trajectory
5
Mobile
Breach
Hunting
If file is deemed malicious, file
trajectory can provide insight into
which hosts are infected, and it
provides greater visibility into the
extent of an infection
Computer
Mobile
Computer
Mobile
Virtual Machine
Point-in-Time Detection
Retrospective Security
Cisco Collective Security Intelligence
Retrospective Security Is Built On…
Device Trajectory
1
Unknown file is downloaded to a
particular device
2
The file executes
Drive #1
3
Behavioral
Indications
of Compromise
Trajectory
Drive #2
Device trajectory records this,
the parent processes lineage
and all actions performed
by the file
Breach
Hunting
4
File is convicted as malicious
and the user is alerted to the
root cause and extent of the
compromise
Computer
Drive #3
Point-in-Time Detection
Retrospective Security
Cisco Collective Security Intelligence
Retrospective Security Is Built On…
Behavioral
Indications
of Compromise
Trajectory
Elastic
Search
1
Elastic Search is the ability
to use the indicators
generated by Behavioral
IoCs to monitor and search
for threats across
an environment
2
When a threat is
identified, it can be
used to search for
and identify if that
threat exists
anywhere else
3
This function enables
quick searches to aid
in the detection of
files that remain
unknown but
are malicious
Cisco AMP Provides Contextual Awareness
and Visibility
That Allows You to Take Control of an Attack Before It Causes Damage
Focus on these
users first
Who
These applications
are affected
What
The breach affected
these areas
Where
This is the scope of
exposure over time
When
How
Here is the origin and
progression of
the threat
Cisco AMP Everywhere Protects Your Extended
Network With Many Deployment Options
*AMP for Endpoints can be launched from AnyConnect
Virtual
Windows OS
Android Mobile
MAC OS
AMP for Networks
AMP for Endpoints
(AMP on a Cisco FirePOWER NGIPS)
AMP
AMP on Cisco® ASA Firewall
with FirePOWER Services
Advanced Malware
Protection
AMP Private Cloud
Virtual Appliance
CWS
AMP on Web and Email
Security Appliances
Linux for servers
and datacenters
AMP for Cloud Web Security
and Hosted Email
AMP Threat Grid
Malware Analysis + Threat
Intelligence Engine
Appliance or Cloud
Deployment Options in Detail
Private
Deployment
options
AMP for Networks
AMP on
ESA, WSA, ASA, CWS
Method
Ideal for
(AMP on FirePOWER
Network Appliance)
Snap into your network
Install lightweight connector
on endpoints
Deploy on-premises
Virtual Appliance
New or existing Cisco
CWS, Email/Web Security,
ASA customers
FirePOWER NGIPS customers
Windows, Mac, Android, Linux,
virtual machines; can also deploy
from AnyConnect client
High-Privacy Environments
Wide visibility inside network
CWS: web and advanced
malware protection in a clouddelivered service
Broad selection of featuresbefore, during, and after
an attack
AMP capabilities on ASA with
FirePOWER Services
Threat Grid
AMP
Private Cloud
Virtual Appliance
License with ESA, WSA, CWS,
or ASA customers
ESA/WSA: Prime visibility into
email/web
Details
AMP for
Endpoints
Hybrid or on-premises integration
Cloud integration in November
2015; on-premises integration in
1H 2016
Comprehensive threat
protection and response
Granular visibility and control
Widest selection of
AMP features
Integrated into file
analysis feature
Private Cloud option for
those with high-privacy
requirements
Can deploy full air-gapped
mode or cloud proxy mode
For endpoints and networks
Integration coming in 1H 2016
Are You Able To Defend Against
Advanced Malware?
1
Can you detect advanced malware in web
and email?
2
Assess your current level of
network protection
3
Assess your current level of
endpoint protection
Get Started Now
1
Decide on Proof-of-Value (POV)
deployment preference
2
Establish a timeframe and installation date
for POV
3
Determine hardware requirements and
configuration changes
4
Select POV length and delivery
5
Schedule kick-off meeting
AMP Assets to Learn More
AMP Webpages
www.cisco.com/go/amp
www.cisco.com/go/ampsolution
www.cisco.com/go/ampendpoint
www.cisco.com/go/ampnetwork
AMP Solution Overview Videos
AMP for Endpoints Overview Video
AMP for Networks Overview Video
Cisco Executive Perspectives on Security
AMP Threat Grid Overview Video
www.cisco.com/go/ampprivatecloud
www.cisco.com/go/amptg
• Cloud deployment
• On-premises deployment
AMP Overview in 4 Minutes: Meet Tom, the IT
Security Guy
John Chambers on Cisco Security and AMP
Demos
5-minute AMP Demo, with Threat
Grid integration
AMP Threat Grid for Incident Response
AMP and Threat Grid Full Demo on Techwise TV
June 2015
AMP Threat Grid: Portal overview and API demo
Customer Testimonials
Playlist of all Customer Testimonials on AMP
First Financial Bank
SHSU.uses AMP for Endpoints
Center for Internet Security uses AMP
Threat Grid
AMP Assets to Learn More
Data Sheets, At-a-Glances, Infographic, Whitepapers
AMP Solution Overview
AMP Threat Grid Solution Overview
AMP for Networks: Data Sheet | AAG
AMP Threat Grid - Appliance: Data Sheet | AAG
AMP for Endpoints: Data Sheet | AAG
AMP Threat Grid - Cloud: Data Sheet
AMP Private Cloud: Data Sheet
Continuous Endpoint Protection in a
Point-in-Time World
Security Everywhere Whitepaper (direct link)
Third Party Validation
Gartner Video-on-Demand: Strategies to Combat Advanced Threats featuring Cisco AMP
2015 NSS Labs Breach Detection Test Results