the world against the bad, cisco amp solution to the rescue
TRANSCRIPT
Advanced Threat Protection with FireAMP
Cisco Confidential 3 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
The Industrialization of Hacking
1990 2020 2015 2010 2005 2000 1995
Phishing, Low
Sophistication
Hacking Becomes
an Industry
Sophisticated
Attacks, Complex
Landscape
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
The New Security Model
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
The New Security Model
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Point in Time Continuous
Malware is getting through control based
defenses
Malware Prevention
is NOT 100%
Breach
Existing tools are labor intensive and require
expertise
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7 © 2014 Cisco and/or its affiliates. All rights reserved.
When Malware Strikes, You Have Questions
Where did it
come from?
Who else is
infected?
What is it
doing?
How do I
stop it?
8 © 2014 Cisco and/or its affiliates. All rights reserved.
Actual Disposition = Bad = Blocked
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection, Analysis Continues
Initial Disposition = Clean
Continuous
Blind to scope of compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time Visibility and Control are Key
Not 100%
Analysis Stops
Beyond the Event Horizon Addresses limitations of point-in-time detection
9 © 2014 Cisco and/or its affiliates. All rights reserved.
AMP Deployment Options
Network-based detection/blocking
As part of IPS or
standalone appliance
Host, virtual & mobile detection/blocking
Threat tracking & remediation
AMP for
FirePOWER
FireAMP
10 © 2014 Cisco and/or its affiliates. All rights reserved.
Finding patient 0: Trajectory analysis Look wide (AMP for Networks), look deep (AMP for Endpoints)
What systems were infected?
When did it happen?
Where is patient 0?
What else did it bring in?
Look D
eep:: D
evic
e tra
jecto
ry
Look wide:: Network trajectory
AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
FireAMP Delivers Multiple lines of detection
Reputation Filtering and File Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
AMP for FirePOWER and FireAMP Demo
13 © 2014 Cisco and/or its affiliates. All rights reserved.
When Malware Strikes, Have Answers
Where did it come
from?
Who else is
infected?
What is it doing? How do I stop it?
Device Trajectory File Trajectory
File Analysis Retrospective
14 © 2014 Cisco and/or its affiliates. All rights reserved.
AMP Everywhere
AMP for
FirePOWER
FireAMP
ESA
WSA
CWS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Se
cu
rity
Eff
ec
tive
ne
ss
TCO per Protected-Mbps
Cisco Advanced
Malware Protection
Best Protection Value
99.0% Breach
Detection Rating
Lowest TCO per
Protected-Mbps
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Defend Against Threats During The Attack DURING
Challenge
Previous, bulky malware solution was not
centrally managed which made it difficult for IT to
monitor and troubleshoot the network effectively.
Solution Installed FireAMP on endpoints for a lighter
footprint, central monitoring and real-time, remote
visibility.
Result
FireAMP’s dashboard helped the team find and
stop threats much faster than previous methods.
What used to take them hours now only requires
2-3 minutes. With remote management, the team
is also able to solve many issues remotely and
keep employees productive.
FVC Case Study
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Identify Scope And Remediate Impact After Breach
Challenge
The company is a frequent victim of spear fishing
campaigns with indications of infection emanating
from multiple sources.
Solution
Added FireAMP to a system already using
FirePOWER to enable them to track and
investigate suspicious file activity.
Result
The company gained complete visibility into their
malware infections, determined the attack vector,
assessed the impact to the network and made
intelligent surgical decisions for remediation in a
fraction of the time than it would take to respond
manually.
AFTER
Power Utility Case Study
Q & A