Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Endpoint Security
Agenda
• AMP + Threat Grid• What is it• Deployment ( Demo ) • Portal
• Umbrella• What is it• Deployment• Portal ( Demo )
• AMP Visability
• Netteams partner portal ( Umbrella )
• Security Portifolio
Umbrella (What is it)
It all starts with DNS
Umbrella
Cisco.com 72.163.4.161
DNS = Domain Name System
• First step in connecting to the internet
• Precedes file execution and IP connection
• Used by all devices
• Port agnostic
Cisco Umbrella
Cloud security platform
Built into the foundation of the internet
Intelligence to see attacks before launched
Visibility and protection everywhere
Enterprise-wide deployment in minutes
Integrations to amplify existing investments
Malware
C2 Callbacks
Phishing
208.67.222.222
Built into foundation of the internet
Umbrella provides:
Connection for safe requests
Prevention for user and malware-
initiated connections
Proxy inspection for risky domains
Safe request
Blocked request
Prevents connections before and during the attack
Command and control callback
Malicious payload drop
Encryption keys
Updated instructions
Web and email-based infection
Malvertising / exploit kit
Phishing / web link
Watering hole compromise
Stop data exfiltration and ransomware encryption
Where does Umbrella fit?Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line
Benefits
Block malware before
it hits the enterprise
Contains malware
if already inside
Internet access is faster
Provision globally in minutes
Your security challenges
Malware and
ransomware
Gaps in visibility
and coverage
Cloud apps
and shadow IT
Difficult to
manage security
Umbrella (Deployment)
Deployment ( Client )
Umbrella (Portal Demo)
AMP + Threat Grid (What is it)
You’ve made significant investments in critical security layers
Next-generation
firewallsNetwork
access control
Intrusion and
prevention systems
Gateway
security
Endpoint
security
But it’s impossible to block 100% of threats,100% of the time
Single points of inspection have their limitations
Current defense in-
depth approach
is built on binary
detection
Known threats are blocked
Good files make
it through
NGIPS EndpointWSAESA ISRNGFW
Unknown threats are
passed to the next system
?
?
?
?
?
?
?
?
When an incident turns into a breach, the cost to businesses is significant
*Source: Ponemon Cost of Security Breach Report 2017
**Source: Cisco Annual Security Report 2017
23% of organizations lost
business opportunities
as the result of a breach **
23%
The average per capita
cost of data breach was
$225 in the U.S. *
$225
The average cost of post-
breach remediation efforts is
$1.56M in the U.S. *
$1.6M
A single, threat-centric control plane across your infrastructure
Branch Routers EndpointDatacenterNetwork edge GatewaysEmail
Malware
AnalysisAMP CloudThreat
Intel
Helping you detect and mitigate threats that have evaded your defenses
Make the unknown,
known
Accelerate security
response
See once, block
everywhere
Detect and mitigate threats in your environment faster
Make the
unknown,
known
Accelerate
security
response
See once,
block
everywhere
OriginThreat
Contained
IoC
identified
With AMP, trace back threat activity and remediate
incidents quickly
In most networks, there’s no way to see threat
progression or origin
Threat
Initial device compromised
Launched
malicious file
downloads
Sent information
from internal
server
No threat symptoms
displayed
Compromised
Customer data
?
?
AMP continuously
records all activity
Supercharge your existing security infrastructure
Talos API
integration
SandboxingAMP Cloud
Protect, detect, and
respond across your
environment
Automatically block
threats seen outside
your network
APIs Augment the
functionality of Cisco
and 3rd party products
Make the
unknown,
known
Accelerate
security
response
See once,
block
everywhere
ESA ISR
Endpoint
3rd party
products
NGIPS WSANGFW
AMP
AMP makes everything in your network better
Empower your team to act faster and decrease the impact of an incident
Understand which alerts
need further investigation
with precision
Eliminate time-consuming
and error-prone tasks
Automate intelligence-
driven security responses
Make the
unknown,
known
Accelerate
security
response
See once,
block
everywhere
With AMP, you get both across your entire environment
ISR EndpointNGIPSNGFW WSA / SIGCES / ESA
Threat Grid
AMP CloudTalos
Advanced Malware ProtectionSolution Overview
Software as a service (subscription)
Cloud managed
Lightweight connector
Protects Windows, Mac, Linux, Android, and iOS
What Is Cisco AMP for Endpoints?
Prevent Detect RespondPrevent attacks and
block malware in real time
Continuously monitor for threats on your
endpoints to decrease time to detection
Accelerate investigations and
remediate faster and more effectively
AMP for Endpoints
Antivirus
Custom Detections
Malicious Activity Protection
AMP Cloud
System Process Protection
Exploit Prevention
POST INFECTION
Plan APrevention framework
TIME TO DETECTION
ON DISKIN MEMORY
Prevent
Antivirus
Custom Detections
Malicious Activity Protection
AMP Cloud
System Process Protection
Exploit Prevention
Prevent
Plan APrevention framework
POST INFECTION
TIME TO DETECTION
ON DISKIN MEMORY
Device Flow Correlation
Cognitive Threat Analytics
Antivirus
Custom Detections
Malicious Activity Protection
AMP Cloud
System Process Protection
Exploit Prevention
Detection framework
Plan B
POST INFECTION
TIME TO DETECTION
ON DISKIN MEMORY
Detect
Exploit Prevention
In Memory
• Make the memory
unpredictable by changing the
memory structure
• Make the app aware of
legitimate memory structure
• Any code accessing the old
memory structure is malware!Inside the Memory Space
Decoy System Resources
New System ResourcesTrusted Code
TrapMalicious Code
Injection
System Process Protection
In Memory
• Protects system processes
from being compromised
through memory injection
attacks by other processesNetlogon
Active
Directory
LSA
server
SAM
server
Lsass
Msv1_0.dll
Kerberos.dll
Winlogon
LSA policy
SAM
Active Directory
AMP Cloud
On Disk
1-to-1 signatures Ethos Spero
Capability
Feature
Intel
Fuzzy fingerprintsZero-day detections without
file uploadsUnique file matching
Convict multiple polymorphic
variants
Machine learning based on
features extracted from file
header
Fast protection across all
products
Large-scale data mining and
extensive automation
Model trained with in-field
and Talos data
Fed by Threat Grid
convictions, Talos engines
Malicious Activity Protection
On Disk
• Detects abnormal behavior of a
running program, initially focused
on ransomware
• Uses rules that monitor processes
reading, writing and renaming or
deleting files within a short span of
time
Custom Detections
On Disk
• Simple (hash-based)
- Quick and easy way to convict
unwanted files and initiate Cloud Recall
- Subject to cached dispositions and
Global Whitelist
• Advanced
- ClamAV signature language
Antivirus Engine
On Disk
• Tetra - offline AV engine for Windows
• ClamAV – offline AV engine for MacOS, Linux
• AMP Update Server available to distribute definition updates on LAN
Cognitive Threat Analytics
Post Infection
• Data statistics
• Anomaly detection (probabilistic and
time series)
• Classification (pictured at right)
• Incidents and campaigns
Device Flow Correlation
Post Infection
• Kernel-level view into network traffic, correlated with initiating process
• Custom IP address detections: IP blacklists and IP whitelists
• Dropper detection and removal in unknown files
• Powered by Cisco Security Intelligence feed
Cloud Indicators of Compromise
Post Infection
• Track behaviors across multiple processes on a single host
• Automate compromise analysis and determination
• Prioritize list of compromised devices
Prevent Detect RespondPrevent attacks and
block malware in real time
Continuously monitor for threats on your
endpoints to decrease time to detection
Accelerate investigations and
remediate faster and more effectively
AMP for Endpoints
Continuous Analysis and Retrospective SecurityMonitor, record, and analyze all file activity, regardless of disposition
RECORDING
Identify a
threat’s
point of origin
Track it’s rate of
progression and
how it spread
See what it is
doing
See where it's been
Surgically target
and remediate
Detect
AMP Cloud
NGIPS NGFW
Network AppliancesEndpoints Content Appliances
WWW
WSA ESA
Global File Trajectory
Whitelists Blacklists
Global Outbreak Control
AMP Unity
Threat GridSolution Overview
Static and Dynamic Analysis
Static Analysis
• File on disc
- Header details
- AV engines
• What it is/contains
Dynamic Analysis
• Execution/Detonation
- Network Connections
- File/System changes
- Function/Library calls
• What it does
AMP and Threat Grid Positioning
Land and Expand
Non-security-focused buyersAMP for
Endpoints
Umbrella
Meraki MX
Advanced File Analysis
Land and Expand
Security-focused buyersEmail with
AMP
Threat Grid
AMP for Endpoints
Umbrella with AMP
“Positioning AMP for Endpoints
Answer:
*But, are we asking the right question?
Can AMP replace my antivirus?
”YES*
Legacy AV
• Disk encryption
• DLP
• Free toaster oven
• ???
AMP
• Protection
• Detection
• Response
An
tiviru
s
Positioning Threat Grid
• Static and dynamic malware
analysis powered by Threat Grid
• Discover potential new threats and
indicators of compromise
Extensive reporting: pivot and drill
down on data elements
Adjust sample run time and interact
with malware samples in Glovebox
Single organization-wide view of all
sample submissions
Open API to automate sample
uploads from other security tools
Threat Grid Cloud / Appliance
• Static and dynamic malware
analysis powered by Threat Grid
• Discover potential new threats and
indicators of compromise
• Basic reporting: Behavioral
Indicators, Network Activity, etc
• Limited to 5-minute run time on
preset VM images; no interaction
• Only see reports from samples
submitted from each technology
AMP Enabled Devices
Sizing Threat Grid
Organization Account
(200+p+s)/day
API Integrations
AMP-enabled devices Threat Grid Cloud
++200 included Threat Grid submissions shared
across any number of AMP integrated devices
Organization-wide
Advanced File Analysis
Licenses
"behaviors": [{"name":
"excessive-suspicious-activity",
"threat": 90},
NGFW Email
Web Umbrella
Endpoint
AFA Licenses
“Positioning Threat Grid
• Technical analyst / incident responder
• Looking to boost the capabilities of their existing security architecture
• Mature security team –OR– is resource constrained and needs low OpEx solution to empower junior analysts with automated submissions
• Has AMP-integrated products (Firepower, AMP for Endpoints, ESA/CES, WSA, Meraki, Umbrella)
Who is a good prospect for Threat Grid?
”
AMP and Threat GridDesign
Cloud Architecture
Threat Intelligence Cloud
File Analysis Results
Threat Intel ThreatIntel
File Dispositions,IOCs, ML
Behavioral Indicators
Talos
AMP Public / Private Cloud File Reputation
Threat Grid Cloud / Appliance(Sandboxing)
Service
Function
Powered by
Blocking of known
malicious files
Behavior analysis of
unknown files
Retrospective alerting
upon disposition change
File
ReputationFile
Analysis
File
Retrospection
AMP
CloudThreat Grid
Cloud
AMP
Cloud
or
Solution Overview
Service
Meraki MX
ESA / CES
WSA
Umbrella
Firepower
File Reputation File Analysis File Retrospection
AMP and Threat Grid Integrations
Endpoint
Deployment Modes
Deployment
File AnalysisFile Reputation & RetrospectionCapability
Deployment
Options
AMP Private Cloud
AMP
Cloud
AMP Public Cloud
Threat Grid Appliance
Threat Grid
Cloud
Threat Grid Cloud
AMP and Threat Grid Deployment Options
Organization’s Perimeter
AMP Connector
(Endpoint)
AMPCloud
Threat GridCloud
File Reputation Check(includes hash, ML features, IP
lookup)
File RetrospectionFile Fetch
(suspicious file)
Analysis
Request(includes the file)
Malicious File Hash is automatically marked in AMP Database
Deployments (Endpoint, Public)
File Analysis
File Reputation
Organization’s Perimeter
AMP Connector
(Firepower)
Analysis Report(indicators, threat score)
Analysis Request(includes the file)
FMCFile Reputation Check(includes hash, ML features)
Deployments (Network, Public)
File Analysis
File Reputation
AMPCloud
Threat GridCloud
Malicious File Hash is automatically marked in AMP Database
File Reputation Check(includes hash, ML features)
File Retrospection
AMP Visability
Who
What
Where
When
How
”This hash has been
submitted for analysis
5 times in 30 days, was
delivered by email and
has been seen by AMP
for Endpoints 9 times”
Cisco Visibility
Threat Intelligence Orchestration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Threat hunting
One click remediation
Intelligence correlation
Perform in-depth investigations
Umbrella Partner Portal
Security Portifolio
Security Portifolio
Security Portifolio
https://www.cisco.com/c/en/us/products/security/integrated-cybersecurity-portfolio-demo.html
https://www.youtube.com/watch?v=i6GNTwPpZLo&t=141s
1.Share threat Intelligence2.Share event information3.Share policy Information4.Share contextual awarenes
Security Portifolio