cisco amp
TRANSCRIPT
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Cisco Advanced Malware Protection
Chris Johnson Security Consulting Systems Engineer February 2015
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Today’s Advanced Malware Is Not Just A Single Entity
It is a criminal enterprise that hides in plain site
Missed by Point-in-time Detection
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Comprehensive Security Requires
Breach Protection Breach Detection Collective Intelligence
82,000 new threats per day 180,000+ file samples daily Trojans account for 8 of 10 infections in 2013
Source: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Cisco Has The Best-In-Class Security Asset To Deliver Against These Requirements
10I000 0II0 00 0III000 II1010011 101 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00
I00I III0I III00II 0II00II I0I000 0110 00
180,000+ File Samples per Day
FireAMP™ Community, 3+ million
Advanced Microsoft and Industry Disclosures
Snort and ClamAV Open Source Communities
Honeypots
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Dynamic Analysis
101000 0II0 00 0III000 III0I00II II II0000I II0 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
100I II0I III00II 0II00II I0I000 0II0 00 Sourcefire VRT®
(Vulnerability Research Team)
Automatic Updates every 3-5 minutes
1.6 million global sensors
100 TB of data received per day
150 million+ deployed endpoints
600+ engineers, technicians, and researchers
35% worldwide email traffic
13 billion web requests
24x7x365 operations
40+ languages
Cisco® SIO
Email Endpoints Web Networks IPS Devices
WWW
TALOS Cisco Collective
Security Intelligence
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco AMP Delivers Three Advantages
3 Address the full attack continuum
BEFORE DURING AFTER
2 More comprehensive protection
Content Network Endpoint
Cisco Collective Security Intelligence
Point-in-Time Detection Retrospective Security
1 A better approach
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Cisco AMP Delivers A Better Approach
Retrospective Security Point-in-Time Detection
Continuous Protection File Reputation & Behavioral Detection
Unique To Cisco AMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cisco Collective Security Intelligence
Point-in-Time Protection Continuous Protection
File Reputation & Behavioral Detection
Unique to Cisco AMP
Retrospective Security
Cisco AMP Defends With Reputation Filtering And Behavioral Detection
Reputation Filtering Behavioral Detection
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Reputation Filtering Behavioral Detection
Reputation Filtering Is Built On Three Features
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Collective Security Intelligence Cloud
Unknown file’s signature is analyzed and sent to the cloud 1
File’s signature is not known to be malicious and is admitted 2
Unknown file’s signature is analyzed and sent to the cloud 3
File’s signature is known to be malicious and is prevented from entering the system
4
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Reputation Filtering Is Built On Three Features
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Collective Security Intelligence Cloud
Fingerprint of file is analyzed and determined to be malicious 1
Malicious file is not allowed entry 2
Polymorphic form of the same file tries to enter the system 3
The fingerprints of the two files are compared and found to be similar to one another
4
Polymorphic fingerprint is denied entry based on its similarity to known malware
5
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Reputation Filtering Is Built On Three Features
Collective Security Intelligence Cloud
Unknown file’s metadata is sent to the cloud to be analyzed 1
Metadata is recognized as possible malware 2
File is compared to known malware and is confirmed as malware 3
A second unknown file’s metadata is sent to cloud to be analyzed 4
Metadata is similar to known clean file, possibly clean 5
File is confirmed as a clean file after being compared to a similarly clean file
6
Machine Learning Decision Tree
Possible clean file
Possible malware
Confirmed malware
Confirmed clean file
Confirmed clean file
Confirmed malware
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Collective Security Intelligence Cloud
Unknown file is analyzed, indications of self-replication are found 1
These indications of self-replication are communicated to the cloud 2
Unknown file is also performing independent external transmissions 3
The transmission behavior is also sent to the cloud 4
These actions are reported to user to identify the file as possible malware
5
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Unknown files are uploaded to the cloud where the Dynamic Analysis Engine executes them in sandboxes
1
Two files are determined to be malware, one is confirmed as a clean file
2
Malicious signatures are updated to the Intelligence cloud and broadcasted to user base
3
Collective Security Intelligence Cloud
Collective User Base
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Receives information regarding software unidentified by Reputation Filtering appliances
1
Analyzes file in light of the information and context provided 3
Identifies the advanced malware and communicates the new signature to the user base
4
Receives context regarding unknown software from Collective User Base 2 Collective
User Base Collective Security Intelligence Cloud
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-One Signature
Indications of Compromise
Device Flow Correlation
Behavioral Detection Is Built On Four Features
Collective Security Intelligence Cloud
Two unknown files are seen communicating with a particular IP address
2
One is communicating information outside the network, the other is receiving commands from the IP
3
Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site
4
Unknown files are identified as malware because of the association
5
IP: 64.233.160.0 Device Flow Correlation monitors the source and destination of I/O traffic on a network
1
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Cisco AMP Delivers A Better Approach
Retrospective Security Point-in-Time Detection
Continuous Protection File Reputation & Behavioral Detection
Unique to Cisco AMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco AMP Defends With Retrospective Security
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Why Continuous Protection Is Necessary
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry Stream
Continuous feed
Web
WWW
Endpoints Network Email
Continuous analysis
Devices
IPS
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Why Continuous Protection Is Necessary
Context Enforcement Continuous Analysis
Who What
Where When
How
Event History
Collective Security Intelligence
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Cisco AMP Defends With Retrospective Security
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
Retrospective Security Is Built On…
Performs analysis the first time a file is seen 1
Persistently analyzes the file over time to see if the disposition is changed
2 Giving unmatched visibility into the path, actions or communications that are associated with a particular piece of software
3
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
Retrospective Security Is Built On…
Leverages retrospective capabilities in three ways:
File Retrospection records the trajectory of the software from device to device
File Retrospection 1
Process Retrospection 2
Communication Retrospection 3
Process Retrospection monitors the I/O activity of all devices on the system Communications Retrospection monitors which applications are performing actions
Attack Chain Weaving analyzes the data collected by File, Process and Communication Retrospection to provide a new level of threat intelligence
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
Retrospective Security Is Built On…
Behavioral Indications of Compromise uses Retrospection to monitor systems for suspicious and unexplained activity
An unknown file is admitted into the network
1The unknown file copies itself to multiple machines
2 Duplicates content from the hard drive 3
Sends duplicate content to an unknown IP address
4
Leveraging the power of Attack Chain Weaving, AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Retrospective Security Is Built On…
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
File trajectory automatically records time, method, point of entry, systems impacted and prevalence of the file
Unknown file is downloaded to device 1
Fingerprint is recorded and sent to cloud for analysis 2
The unknown file travels across the network to different devices
3
Sandbox analytics determines the file is malicious and notifies all devices
4
File trajectory provides greater visibility into the extent of an infection
5
Collective Security Intelligence Cloud
Computer
Virtual Machine
Mobile
Mobile
Virtual Machine Computer
Network
Collective Security Intelligence Cloud
Mobile
Mobile
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
Computer
Unknown file is downloaded to a particular device 1
The file moves around the device, executing different operations 2
Meanwhile, device trajectory records the root cause, lineage and actions of the files on a machine
3
That data pinpoint the exact cause and extent of the compromise on the device
4
Retrospective Security Is Built On…
Drive #1 Drive #2 Drive #3
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Trajectory Behavioral Indications
of Compromise
Breach Hunting
Retrospection Attack Chain Weaving
Retrospective Security Is Built On…
Breach Hunting is the ability to leverage the indicators generated by Behavioral IoC’s to monitor and search for specific behaviors across an environment
1 Once a Behavioral IoC has been identified, it can be used to search for and identify if that behavior is taking place anywhere else
2 This functionality enables quick searches that profile a behavior rather than a fingerprint, aiding the detection of files that remain unknown but are malicious
3
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Cisco Collective Security Intelligence
Point-in-Time Detection Retrospective Security
Cisco AMP Delivers Three Advantages
3
2
1
Address the full attack continuum
More comprehensive protection
A better approach
Content Network Endpoint
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Comprehensive Environment Protection with AMP
AMP Protection
Method
Ideal for
Content
License with ESA or WSA
New or existing Cisco Email or Web Security customers
Network
Stand Alone Solution -or-
Enable AMP on FirePOWER Appliance
IPS/NGFW customers
Endpoint
Install on endpoints
Windows, Mac, Android, VMs
Cisco Advanced Malware Protection
Threat Vector Email and Web Networks Devices
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Understanding The Different Platforms
• Detect and block malware attempting to enter through email or web gateways
• Receive extensive reporting, URL/Message tracking and remediation prioritization
• Add-on to an existing appliance or in the cloud
AMP for Content
• Identify point of entry, propagation, protocols used, users and host affected
• Receive a comprehensive picture of malicious activity with contextual data
• Control of BYOD devices on the network
AMP for Networks
• Find an infection, trace its path, analyze its behavior
• Mitigate damage quickly and eliminate the risk of reinfection
• Locate indications of compromise at both the network and system level
AMP for Endpoints
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Protection Across Networks
• The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment
Network
Endpoint
Content
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Protection Across Endpoints
• The Endpoint platform has device trajectory, elastic search and outbreak control which in this example is shown quarantining recently detected malware on a device that has the FireAMP connector installed
Network
Endpoint
Content
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Protection Across Web and Email
• AMP for Content protects against web and email threats by issuing retrospective alerts when malware or malicious signatures are detected
Network
Endpoint
Content
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Complete Environment Protection With AMP
Each deployment option offers extensive protection across its particular threat vector
Address Threat Vector
Since infections are designed to spread, protecting against one or two attack vectors is insufficient for today’s threats
Prevent Infection
Deploying AMP for Content, Network and Endpoint together is the best available means of complete environment protection, quarantine and remediation
Working Together
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Cisco Collective Security Intelligence
Point-in-Time Detection Retrospective Security
Cisco AMP Delivers Three Advantages
3
2
1
Address the full attack continuum
More comprehensive protection
A better approach
Content Network Endpoint
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Block Threats Before They Breach
Challenge
Experienced security team of 7 supporting over 120 locations needed greater intelligence to quickly identify and stop threats. Current defenses alerted personnel and logged details but did nothing to aid investigation of the issue.
Solution Augmented intrusion prevention systems with FireAMP for Endpoint.
Result
After installation of FireAMP, a targeted attack was identified and remediated in half a day. 7 days after the initial attack, new business processes and intelligences implemented by FireAMP resulted in the immediate mitigation of a second targeted attack.
BEFORE
A US Bank Case Study
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Defend Against Threats During The Attack DURING
Challenge Previous, bulky malware solution was not centrally managed which made it difficult for IT to monitor and troubleshoot the network effectively.
Solution Installed FireAMP on endpoints for a lighter footprint, central monitoring and real-time, remote visibility.
Result
FireAMP’s dashboard helped the team find and stop threats much faster than previous methods. What used to take them hours now only requires 2-3 minutes. With remote management, the team is also able to solve many issues remotely and keep employees productive.
FVC Case Study
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Identify Scope And Remediate Impact After Breach
Challenge The company is a frequent victim of spear fishing campaigns with indications of infection emanating from multiple sources.
Solution Added FireAMP to a system already using FirePOWER to enable them to track and investigate suspicious file activity.
Result
The company gained complete visibility into their malware infections, determined the attack vector, assessed the impact to the network and made intelligent surgical decisions for remediation in a fraction of the time than it would take to respond manually.
AFTER
Power Utility Case Study
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Cisco Collective Security Intelligence
Point-in-Time Detection Retrospective Security
Cisco AMP Delivers Three Advantages
3
2
1
Address the full attack continuum
More comprehensive protection
A better approach
Content Network Endpoint
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Identifying Your Exposure
1
2
3
Assess your current level of web and email protection
Assess your current level of network protection
Assess your current level of endpoint protection
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
1
Get Started Now
2
3
4
5
Decide on Proof of Value (POV) deployment preference
Establish a timeframe and installation date for POV
Determine hardware requirements and configuration changes
Select POV length and delivery
Schedule kick-off meeting
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Thank You
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
How Cisco AMP Works: Network File Trajectory Use Case
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
The Cisco Collective Security Intelligence Cloud has learned this file is malicious and a retrospective event is raised for all four devices immediately.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
At the same time, a device with the FireAMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.