cisco amp

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Cisco Advanced Malware Protection

Chris Johnson Security Consulting Systems Engineer February 2015

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Today’s Advanced Malware Is Not Just A Single Entity

It is a criminal enterprise that hides in plain site

Missed by Point-in-time Detection


Comprehensive Security Requires

Breach Protection Breach Detection Collective Intelligence

82,000 new threats per day 180,000+ file samples daily Trojans account for 8 of 10 infections in 2013

Source: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html


Cisco Has The Best-In-Class Security Asset To Deliver Against These Requirements

10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

180,000+ File Samples per Day

FireAMP™ Community, 3+ million

Advanced Microsoft and Industry Disclosures

Snort and ClamAV Open Source Communities

Honeypots

Sourcefire AEGIS™ Program

Private and Public Threat Feeds

Dynamic Analysis

101000 0II0 00 0III000 III0I00II II II0000I II0 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00 Sourcefire VRT®

(Vulnerability Research Team)

Automatic Updates every 3-5 minutes

1.6 million global sensors

100 TB of data received per day

150 million+ deployed endpoints

600+ engineers, technicians, and researchers

35% worldwide email traffic

13 billion web requests

24x7x365 operations

40+ languages

Cisco® SIO

Email Endpoints Web Networks IPS Devices

WWW

TALOS Cisco Collective

Security Intelligence


Cisco AMP Delivers Three Advantages

3 Address the full attack continuum

BEFORE DURING AFTER

2 More comprehensive protection

Content Network Endpoint

Cisco Collective Security Intelligence

Point-in-Time Detection Retrospective Security

1 A better approach


Cisco AMP Delivers A Better Approach

Retrospective Security Point-in-Time Detection

Continuous Protection File Reputation & Behavioral Detection

Unique To Cisco AMP



Point-in-Time Protection Continuous Protection

File Reputation & Behavioral Detection

Unique to Cisco AMP

Retrospective Security

Cisco AMP Defends With Reputation Filtering And Behavioral Detection

Reputation Filtering Behavioral Detection

Dynamic Analysis

Machine Learning

Fuzzy Finger-printing

Advanced Analytics

One-to-One Signature

Indications of Compromise

Device Flow Correlation


Reputation Filtering Behavioral Detection

Reputation Filtering Is Built On Three Features

Dynamic Analysis

Machine Learning


Advanced Analytics




Collective Security Intelligence Cloud

Unknown file’s signature is analyzed and sent to the cloud 1

File’s signature is not known to be malicious and is admitted 2

Unknown file’s signature is analyzed and sent to the cloud 3

File’s signature is known to be malicious and is prevented from entering the system

4



Dynamic Analysis

Machine Learning


Advanced Analytics





Fingerprint of file is analyzed and determined to be malicious 1

Malicious file is not allowed entry 2

Polymorphic form of the same file tries to enter the system 3

The fingerprints of the two files are compared and found to be similar to one another

4

Polymorphic fingerprint is denied entry based on its similarity to known malware

5


Dynamic Analysis

Machine Learning


Advanced Analytics






Unknown file’s metadata is sent to the cloud to be analyzed 1

Metadata is recognized as possible malware 2

File is compared to known malware and is confirmed as malware 3

A second unknown file’s metadata is sent to cloud to be analyzed 4

Metadata is similar to known clean file, possibly clean 5

File is confirmed as a clean file after being compared to a similarly clean file

6

Machine Learning Decision Tree

Possible clean file

Possible malware

Confirmed malware

Confirmed clean file

Confirmed clean file

Confirmed malware


Dynamic Analysis

Machine Learning


Advanced Analytics




Behavioral Detection Is Built On Four Features


Unknown file is analyzed, indications of self-replication are found 1

These indications of self-replication are communicated to the cloud 2

Unknown file is also performing independent external transmissions 3

The transmission behavior is also sent to the cloud 4

These actions are reported to user to identify the file as possible malware

5


Dynamic Analysis

Machine Learning


Advanced Analytics





Unknown files are uploaded to the cloud where the Dynamic Analysis Engine executes them in sandboxes

1

Two files are determined to be malware, one is confirmed as a clean file

2

Malicious signatures are updated to the Intelligence cloud and broadcasted to user base

3


Collective User Base


Dynamic Analysis

Machine Learning


Advanced Analytics





Receives information regarding software unidentified by Reputation Filtering appliances

1

Analyzes file in light of the information and context provided 3

Identifies the advanced malware and communicates the new signature to the user base

4

Receives context regarding unknown software from Collective User Base 2 Collective

User Base Collective Security Intelligence Cloud


Dynamic Analysis

Machine Learning


Advanced Analytics






Two unknown files are seen communicating with a particular IP address

2

One is communicating information outside the network, the other is receiving commands from the IP

3

Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site

4

Unknown files are identified as malware because of the association

5

IP: 64.233.160.0 Device Flow Correlation monitors the source and destination of I/O traffic on a network

1


Cisco AMP Delivers A Better Approach

Retrospective Security Point-in-Time Detection

Continuous Protection File Reputation & Behavioral Detection

Unique to Cisco AMP


Cisco AMP Defends With Retrospective Security


Why Continuous Protection Is Necessary

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Breadth and Control points:

File Fingerprint and Metadata

File and Network I/O

Process Information

Telemetry Stream

Continuous feed

Web

WWW

Endpoints Network Email

Continuous analysis

Devices

IPS


Why Continuous Protection Is Necessary

Context Enforcement Continuous Analysis

Who What

Where When

How

Event History

Collective Security Intelligence


Cisco AMP Defends With Retrospective Security

Trajectory Behavioral Indications

of Compromise

Breach Hunting

Retrospection Attack Chain Weaving



of Compromise

Breach Hunting


Retrospective Security Is Built On…

Performs analysis the first time a file is seen 1

Persistently analyzes the file over time to see if the disposition is changed

2 Giving unmatched visibility into the path, actions or communications that are associated with a particular piece of software

3



of Compromise

Breach Hunting



Leverages retrospective capabilities in three ways:

File Retrospection records the trajectory of the software from device to device

File Retrospection 1

Process Retrospection 2

Communication Retrospection 3

Process Retrospection monitors the I/O activity of all devices on the system Communications Retrospection monitors which applications are performing actions

Attack Chain Weaving analyzes the data collected by File, Process and Communication Retrospection to provide a new level of threat intelligence



of Compromise

Breach Hunting



Behavioral Indications of Compromise uses Retrospection to monitor systems for suspicious and unexplained activity

An unknown file is admitted into the network

1The unknown file copies itself to multiple machines

2 Duplicates content from the hard drive 3

Sends duplicate content to an unknown IP address

4

Leveraging the power of Attack Chain Weaving, AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature




of Compromise

Breach Hunting


File trajectory automatically records time, method, point of entry, systems impacted and prevalence of the file

Unknown file is downloaded to device 1

Fingerprint is recorded and sent to cloud for analysis 2

The unknown file travels across the network to different devices

3

Sandbox analytics determines the file is malicious and notifies all devices

4

File trajectory provides greater visibility into the extent of an infection

5


Computer

Virtual Machine

Mobile

Mobile

Virtual Machine Computer

Network


Mobile

Mobile



of Compromise

Breach Hunting


Computer

Unknown file is downloaded to a particular device 1

The file moves around the device, executing different operations 2

Meanwhile, device trajectory records the root cause, lineage and actions of the files on a machine

3

That data pinpoint the exact cause and extent of the compromise on the device

4


Drive #1 Drive #2 Drive #3



of Compromise

Breach Hunting



Breach Hunting is the ability to leverage the indicators generated by Behavioral IoC’s to monitor and search for specific behaviors across an environment

1 Once a Behavioral IoC has been identified, it can be used to search for and identify if that behavior is taking place anywhere else

2 This functionality enables quick searches that profile a behavior rather than a fingerprint, aiding the detection of files that remain unknown but are malicious

3





3

2

1

Address the full attack continuum

More comprehensive protection

A better approach


BEFORE DURING AFTER


Comprehensive Environment Protection with AMP

AMP Protection

Method

Ideal for

Content

License with ESA or WSA

New or existing Cisco Email or Web Security customers

Network

Stand Alone Solution -or-

Enable AMP on FirePOWER Appliance

IPS/NGFW customers

Endpoint

Install on endpoints

Windows, Mac, Android, VMs

Cisco Advanced Malware Protection

Threat Vector Email and Web Networks Devices


Understanding The Different Platforms

•  Detect and block malware attempting to enter through email or web gateways

•  Receive extensive reporting, URL/Message tracking and remediation prioritization

•  Add-on to an existing appliance or in the cloud

AMP for Content

•  Identify point of entry, propagation, protocols used, users and host affected

•  Receive a comprehensive picture of malicious activity with contextual data

•  Control of BYOD devices on the network

AMP for Networks

•  Find an infection, trace its path, analyze its behavior

•  Mitigate damage quickly and eliminate the risk of reinfection

•  Locate indications of compromise at both the network and system level

AMP for Endpoints


Protection Across Networks

•  The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment

Network

Endpoint

Content


Protection Across Endpoints

•  The Endpoint platform has device trajectory, elastic search and outbreak control which in this example is shown quarantining recently detected malware on a device that has the FireAMP connector installed

Network

Endpoint

Content


Protection Across Web and Email

•  AMP for Content protects against web and email threats by issuing retrospective alerts when malware or malicious signatures are detected

Network

Endpoint

Content


Complete Environment Protection With AMP

Each deployment option offers extensive protection across its particular threat vector

Address Threat Vector

Since infections are designed to spread, protecting against one or two attack vectors is insufficient for today’s threats

Prevent Infection

Deploying AMP for Content, Network and Endpoint together is the best available means of complete environment protection, quarantine and remediation

Working Together





3

2

1



A better approach


BEFORE DURING AFTER


Block Threats Before They Breach

Challenge

Experienced security team of 7 supporting over 120 locations needed greater intelligence to quickly identify and stop threats. Current defenses alerted personnel and logged details but did nothing to aid investigation of the issue.

Solution Augmented intrusion prevention systems with FireAMP for Endpoint.

Result

After installation of FireAMP, a targeted attack was identified and remediated in half a day. 7 days after the initial attack, new business processes and intelligences implemented by FireAMP resulted in the immediate mitigation of a second targeted attack.

BEFORE

A US Bank Case Study


Defend Against Threats During The Attack DURING

Challenge Previous, bulky malware solution was not centrally managed which made it difficult for IT to monitor and troubleshoot the network effectively.

Solution Installed FireAMP on endpoints for a lighter footprint, central monitoring and real-time, remote visibility.

Result

FireAMP’s dashboard helped the team find and stop threats much faster than previous methods. What used to take them hours now only requires 2-3 minutes. With remote management, the team is also able to solve many issues remotely and keep employees productive.

FVC Case Study


Identify Scope And Remediate Impact After Breach

Challenge The company is a frequent victim of spear fishing campaigns with indications of infection emanating from multiple sources.

Solution Added FireAMP to a system already using FirePOWER to enable them to track and investigate suspicious file activity.

Result

The company gained complete visibility into their malware infections, determined the attack vector, assessed the impact to the network and made intelligent surgical decisions for remediation in a fraction of the time than it would take to respond manually.

AFTER

Power Utility Case Study





3

2

1



A better approach


BEFORE DURING AFTER


Identifying Your Exposure

1

2

3

Assess your current level of web and email protection

Assess your current level of network protection

Assess your current level of endpoint protection


1

Get Started Now

2

3

4

5

Decide on Proof of Value (POV) deployment preference

Establish a timeframe and installation date for POV

Determine hardware requirements and configuration changes

Select POV length and delivery

Schedule kick-off meeting


Thank You


How Cisco AMP Works: Network File Trajectory Use Case


An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox


At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8


Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application


The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later


The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.


At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware


8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.

cisco amp

Technology

cisco confidential

cisco andor

comprehensive security

class security asset

advanced microsoft

todays advanced malware

fuzzy finger

requirements 10i000