Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
It’s Time for a New Era in Advanced Threats Analysis
Threat Grid Data in Investigate
• What’s New in Investigate
• AMP Threat Grid Overview
• Investigate Overview
• More Information…
• Demo
Agenda
SIEM Alert for Edward, the Security Analyst
Phish-y Email
sso.anbtr.co
m
WHOIS Record Data Related IPs & ASNs Related Domains
Investigate allows you to pivot between data points
But is that enough?
What does a security analyst need during an investigation?
Source & destination IP
HTTP/DNS traffic
modifies registry entry
Intelligence about
attacker’s malware
Intelligence about
attacker’s infrastructure
AMP Threat Grid + OpenDNS Investigate
= Speed Up Response & Hunt Emergent Threats
OpenDNS Investigate
Intelligence about attacker’s infrastructure
AMP Threat Grid
Intelligence about
attacker’s makware
173.236.173.144Source & destination IP
likelybad.comHTTP/DNS traffic
Hosted in 22 countries
baddomain.com
162.17.5.245 suspicious.com
creates .exe file in admin directory
.doc file modifies
WINWORD.exe
modifies registry entry
other file system activity and
artifacts created
Request spike
Cisco AMP Threat Grid
Threat Grid
What is Cisco AMP?
AMP for
Endpoints
AMP for
Firewalls
AMP for
AMP for
Web
AMP for
Private Cloud
Virtual
Appliance
AMP for
ISR
AMP for
Networks
AMP
Threat Grid
Dynamic and static malware analysis
for Endpoint/Network/Content
Block files & IP connections with point-in-time detection
Retrospectively act if disposition changes ? 2
3
1
Artifact
What is Cisco AMP?
How does Threat Grid work?
Suspicious file Analysis report Static Analysis
Threat Intelligence
Dynamic Analysis
AMP Threat GridSHA256:23e32ad4…
Introducing Threat Grid Everywhere
Suspicious
file
Analysis
report
Edge
Endpoints
Firewall
& UTM
Security
Analytics
Web
Security
Endpoint
Security
Network
Security
3rd Party
Integration
S E C U R I T Y
Security
monitoring
platforms
Deep Packet
Inspection
Gov, Risk,
Compliance
SIEM
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Cisco Security Solutions Network Security Solutions
Suspicious
file
Premium
content feedsSecurity Teams
Ransomware Execution
Investigate Overview
Investigate: The Most Powerful Way to Uncover Threats
DOMAINS, IPs & ASNs
CONSOLE SIEM, TIP
API
KEY POINTS
Intelligence about domains, IPs,
& malware across the Internet
Live graph of DNS requests and
other contextual data
Correlated against statistical
models
Discover & predict malicious
domains & IPs
Enrich security data with global
intelligence
HOW DOES IT HELP?
Speeds up incident
investigations and
decreases attacker
dwell time
See attackers’
infrastructure like
never before with
Internet-wide
visibility
Enables responders
to hunt, discover
critical attack
context, & use threat
intel effectively
Requests Per Day
80BCountries
160+
Daily Active Users
65MEnterprise Customers
12K
Our PerspectiveDiverse Set of Data &
Internet-Wide Visibility
StatisticalModels
• Identifies other domains looked up in
rapid succession of a given domain
• Correlations uncover other domains
related to an attack
“C-Rank” Model (co-occurrences)
• Detect domain names that spoof
brand and tech terms in real-time
“NLP-Rank” Model(Natural Language Processing & AS Matching)
• Live DGA• SecureRank
Many More Models
• Geo-Diversity• Geo-Distance
Earliest & Most Accurate Predictions
& Classifications
• Detect domains with
sudden spikes in traffic
• Finds domains involved in active attacks
“SP-Rank” Model (spike rank)
• Analyzes how servers are hosted to
detect future malicious domains
• Identifies steps that
precede malicious activity
Predictive IP Space Monitoring
1M+ Live Events
Per Second
FULLY AUTOMATED
A Single, Correlated Source of Intelligence
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
Domain & IP reputation scores
Malware file analysis
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
Investigate + Threat Grid = most complete threat intelligence
INTERNET INFRASTRUCTURE INTELLIGENCE
research domains, IPs, ASNs used in attacks and proactively uncover future threats
Investigate
DNSBGP
ASNIP
DOMAIN
MALWARE FILE INTELLIGENCE
static & dynamic analysis to learn how the malware file behaves on the system
Artifacts created
Registry & system changes
Network connections made
IOCs identified
AMP Threat Grid
More information…
“I don’t have TG yet, what can I see in Investigate?”
Malware samples associated
with a domain
Threat Score &
AV Results (better attribution)Network Connections
Behavioral Indicators
1
2
3
4
“I already have TG, what’s the added benefit for me?”
Search for artifacts (non-TG
users can only view samples)
See additional TG data in
Investigate (associated
artifacts)
1 2
Pivot from Investigate into
Threat Grid during
investigations
3
Demo
• With this offer, you will:
• Gain valuable information on your network including critical attacks
• Reduce risk and make security a growth engine for your business
• This offer is valid through December 29th, 2016 in Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxemburg, Netherlands, Norway, Spain, Sweden, Switzerland and United Kingdom.
• For more information and to request a Threat Scan POV, go to www.cisco.com/go/threatscanpov