This document provides an agenda and overview for a presentation on cybersecurity game planning for success using Cisco Advanced Malware Protection (AMP). The presentation discusses the industrialization of hacking and growing threats, limitations of traditional point-in-time security solutions, and how AMP provides both point-in-time and retrospective protection across networks, endpoints, email, and web using continuous analysis in the cloud. The presentation demonstrates AMP's threat intelligence capabilities and integration across the Cisco security portfolio.
5. There is a multi-billion dollar global industry
targeting your prized assets
$450 Billion
to
$1 Trillion
Social
Security
$1
Mobile
Malware
$150
$Bank
Account Info
>$1000 depending
on account type
and balance
Facebook
Accounts
$1 for an
account with
15 friends
Credit Card
Data
$0.25-$60
Malware
Development
$2500
(commercial
malware)
DDoS
DDoS as
A Service
~$7/hour
Spam
$50/500K
emails
Medical
Records
>$50
Exploits
$1000-
$300K
Industrialization of Hacking
13. In the news…what do these all have in common?
Home
Depot
Over 50 UPS Franchises hit by data breach
4.5M Records stolen from US Health Giant
Goodwill
Russian Hackers steal 4.5B records
Meet Me Social Network User’s Passwords Stolen
Insider breach at Las Vegas Brain and Spine Surgery Center
Florida bank notifies roughly 72,000 customers of breech
Los Angeles based health system breached
Payment cards used on Wireless Emporium website compromised
Albertson’s stores CC data hacked
$100,000 bitcoin loss due to hack
Microsoft’s Twitter Account Hacked Sony’s Twitter Account Hacked
Russian PM’s Twitter hacked – “I resign”
NRC Computers hacked 3 times
Ferguson police offices computers hacked Norwegian oil industry under attack
Saudi TV website hacked by Libyan
Sony suffer DOS attack
Dairy Queen hacked
JP Morgan
14. What Can We Learn From Sony
12/04/2014: What has happened at Sony Pictures
Entertainment over the past week reads like a blockbuster
screenplay—or a chief executive’s nightmare:
Hackers target a major company, disabling its internal
systems and leaking documents revealing long-held
secrets, from coming products to executive pay.
12/05/2014: The Sony data breach continues to get worse.
First, it was exposed budgets, layoffs and 3,800 SSNs,
then it was passwords. Now, it's way more social security
numbers—including Sly Stallone's.
The Wall Street Journal reports that analysis of the
documents leaked so far included the Social Security
numbers of 47,000 current and former Sony Pictures
workers. That included Sylvester Stallone, Rebel Wilson,
and Anchorman director, Judd Apatow. The Journal reports
that the SSNs are found alongside salary information,
home addresses, and contract details.
15. What Can We Learn From Traditional
Point in Time Solutions
16. We Tested all of These Solutions
“Captive portal”
“It matches the pattern”
“No false positives,
no false negatives”
Application
Control
FW/VPN
IDS/IPS
UTM
NAC
A
V
PKI
“Block or Allow”
“Fix the Firewall”
“No key, no access”
Sandboxing
“Detect the
Unknown”
Threat
Analytics
“Outside
looking in”
The Best Point in Time Protection
Protects you 90 + % of the time
17. Even Sandboxing Has Holes
Antivirus
Sandboxing
Initial Disposition =
Clean
Actual Disposition =
Bad Too Late!!
Not
100%
Analysis
Stops
EventHorizon
Sleep
Techniques
Unknown
Protocols
Encryption
Polymorphism
Blind to
scope
of
compromise
18. Recap of Issues that need to be fixed by security providers
• Targeted attacks / advanced persistent threats are hard to detect
• Malware’s has an ecosystem of components and it’s important to understand what
that ecosystem is and which part of any solution addresses those ecosystem
components.
• Malware’s intensions are nefarious in nature, but the components are built just like
standard software so it can easily hide in your environment
• Don’t get caught up in the catch rate game because no security solution protects
you 100%. what about the files they missed? The industry average to find a file
that got by your defenses is 200 days .
• Do traditional point in time solutions like Email ,Content ,Next Gen Firewall, IPS, AV
and Sandbox solution give you the visibility you need? Be honest with yourself do
they allow you to proactively reduce your attack surface
• Regardless of your security solutions always back up your data because no one is
100% !!!!!!!
19. AMP goes beyond point-in-time detection
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Network Endpoint Mobile Virtual Email & Web
ContinuousPoint-in-time
Attack Continuum
Cloud
20. Continuous Protection when advanced malware evades
point-in-time detection
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time
Detection
Initial Disposition = Clean
AMP
Actual Disposition = Bad = Too
Late!!
Not 100%
Analysis
Stops
Sleep
Techniques
Unknown
Protocols
Encryption
Polymorphism
Retrospective
Detection,
Analysis Continues
28. Speed Matters: Time to Detection (TTD)
The current industry TTD rate of 100 to 200 days is not acceptable.
17.5200 VS
HOURSDAYS
Industry Cisco
Cisco 2015
Midyear Security Report
• Speed of Innovation > ~40% Efficacy
• Point products >> weak defenses
• Integrated Threat Defense is needed
Cisco Minimizes the Time to Detect Breaches
29. Cisco Advanced Malware Protection
Built on Unmatched Collective Security Intelligence
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
600
engineers, technicians,
and researchers
35%
worldwide email traffic
13 billion
web requests
24x7x365 operations
4.3 billion web blocks per day
40+ languages
1.1 million incoming malware
samples per day
AMP Community
Private/Public Threat Feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic
Analysis
10 million files/month
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source
Communities
AEGIS Program
Email Endpoints Web Networks IPS Devices
WWW
Automatic
updates
in real time
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001
1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00
Cisco®
Collective
Security
Intelligence
Cisco Collective
Security Intelligence Cloud
AMP
Advanced Malware Protection
3.5 BILLION
SEARCHES
TODAY
19.6 BILLION
THREATS
BLOCKED
TODAY
31. How Cisco Made a Better Sandbox
Allow you to Interact with Malware with Glove Box Outside Looking In approach no Hooks
Prioritize threats Context-driven Malware Analytics
36. Introducing Threat Grid Everywhere
Suspicious
file
Analysis
report
Edge
Endpoints
Firewalls
& UTM
Email
Security
Security
Analytics
Web
Security
Endpoint
Security
Network
Security
3rd Party
Integration
S E C U R I T Y
Security
monitoring
platforms
Deep Packet
Inspection
Gov, Risk,
Compliance
SIEM
Dynamic Analysis
Static Analysis
Threat Intelligence
AMP Threat Grid
Cisco Security Solutions Network Security Solutions
Suspicious
file
Premium
content feeds
Security Teams
37. Automatically submit suspicious files
Automated analysis, from edge to endpoint
Submission
Analyst or system (API)
submits suspicious sample to
Threat Grid.
Suspicious
file
Edge
Endpoints
ASA w/FPS ESA
Next Gen
IPS
WSA
AMP for
Endpoints
AMP for
Networks
38. Easily integrate with partner solutions
Security Analytics NessusXPSEnCaseEnterprise 360
API
Our robust REST API streamlines partner integration
39.
40. AMP Threat Grid: Key Differentiators
Data Fidelity &
Performance
Scalability &
Flexibility
Usability
Context & Data
Enrichment
Integration &
Architecture
• Proprietary analysis delivers unparalleled insight into malicious activity
• High-speed, automated analysis and adjustable runtimes
• Does not expose any tags or indicators that malware can use to detect that it is being observed
• 100,000s of samples analyzed daily (6-10 million per month)
• SaaS delivery (no hardware) or Appliance (as needed)
• Search and correlate all data elements of a single sample against billons of sample artifacts collected
and analyzed over years (global and historic context)
• Enable the analyst to better understand the relevancy of sample in question to one’s environment
• Clearly presented information for all levels of the IT Security team:
- Tier 1-3 SOC Analysts, Incident Responders & Forensic Investigators, and Threat Intel Analysts
• Web portal, Glovebox (User Interaction), Video Replay, Threat Score, Behavioral Indicators and more
• Architected from the ground up with an API to integrate with existing IT security solutions (Automatically
receive submissions from other solutions and pull the results into your environment)
• Create custom threat intelligence feeds with context or leverage automated batch feeds
41. AMP for Networks
AMP Appliance
NextGen Firewall ,IPS , URL &
AMP
The AMP appliance was designed
to run all fire power features
Nextgen Firewall IPS , URL and
Advanced Malware Protection
(AMP).
The AMP Appliance was built on
the FP platform and has had its
CPU and memory optimized to run
all the security features and
maintain performance throughput
numbers per the AMP for
Networks datasheet.
The AMP Appliance also includes a
Hardware Storage pack / SSD
drive to store files for later analysis
must have this for AMP capabilities
.
Fire Power Appliance
NextGEN firewall IPS &URL
The Fire Power appliance was designed to
run the fire power features Nextgen
Firewall IPS & URL filtering
If you want to turn on Advanced Malware
Protection (AMP) capabilities at a later date
you can but you will need to buy and install
the hardware Storage pack / SSD drive and
the AMP software.
Keep in mind when you turn on the AMP
features you will see a performance hit so
you will need to make sure the FP
appliance is sized correctly for the
customers environment
If a customer wants AMP always try go with
the AMP appliance with new purchases
ASA X-series with
SSD / SW blade
Firewall with VPN ,Nextgen
Firewall IPS, URL & AMP
The ASA X-series with SSD / SW
blade
was designed to run all fire power
features Nextgen Firewall IPS URL
and Advanced Malware Protection
( AMP ) you can also run traditional
firewall and VPN capabilities
Keep in mind when you turn on the
more advanced fire power features
you will see a performance hit so
you will need to size this appliance
correctly for the customers
environment
43. How Cisco AMP Works:
Network File Trajectory Use Case
44.
45. An unknown file is present on
IP: 10.4.10.183, having been
downloaded from Firefox
46. At 10:57, the unknown file is from
IP 10.4.10.183 to IP: 10.5.11.8
47. Seven hours later the file is then
transferred to a third device
(10.3.4.51) using an
SMB application
48. The file is copied yet again onto a
fourth device (10.5.60.66) through
the same SMB application a half
hour later
49. The Cisco® Collective Security
Intelligence Cloud has learned this
file is malicious and a retrospective
event is raised for all four
devices immediately.
50. At the same time, a device with the
AMP for Endpoints connector
reacts to the retrospective event
and immediately stops and
quarantines the newly
detected malware
51. Eight hours after the first attack, the
Malware tries to re-enter the system
through the original point of entry
but is recognized and blocked.