Advanced Threat Protection with FireAMP

Cisco Confidential 3 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.

The Industrialization of Hacking

1990 2020 2015 2010 2005 2000 1995

Phishing, Low

Sophistication

Hacking Becomes

an Industry

Sophisticated

Attacks, Complex

Landscape

Viruses 1990–2000

Worms 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

The New Security Model

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

The New Security Model

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Detect

Block

Defend

DURING

Point in Time Continuous

Malware is getting through control based

defenses

Malware Prevention

is NOT 100%

Breach

Existing tools are labor intensive and require

expertise

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

7 © 2014 Cisco and/or its affiliates. All rights reserved.

When Malware Strikes, You Have Questions

Where did it

come from?

Who else is

infected?

What is it

doing?

How do I

stop it?

8 © 2014 Cisco and/or its affiliates. All rights reserved.

Actual Disposition = Bad = Blocked

Antivirus

Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Retrospective Detection, Analysis Continues

Initial Disposition = Clean

Continuous

Blind to scope of compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Too Late!!

Turns back time Visibility and Control are Key

Not 100%

Analysis Stops

Beyond the Event Horizon Addresses limitations of point-in-time detection

9 © 2014 Cisco and/or its affiliates. All rights reserved.

AMP Deployment Options

Network-based detection/blocking

As part of IPS or

standalone appliance

Host, virtual & mobile detection/blocking

Threat tracking & remediation

AMP for

FirePOWER

FireAMP

10 © 2014 Cisco and/or its affiliates. All rights reserved.

Finding patient 0: Trajectory analysis Look wide (AMP for Networks), look deep (AMP for Endpoints)

What systems were infected?

When did it happen?

Where is patient 0?

What else did it bring in?

Look D

eep:: D

evic

e tra

jecto

ry

Look wide:: Network trajectory

AFTER

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

FireAMP Delivers Multiple lines of detection

Reputation Filtering and File Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics

One-to-One

Signature

AMP for FirePOWER and FireAMP Demo

13 © 2014 Cisco and/or its affiliates. All rights reserved.

When Malware Strikes, Have Answers

Where did it come

from?

Who else is

infected?

What is it doing? How do I stop it?

Device Trajectory File Trajectory

File Analysis Retrospective

14 © 2014 Cisco and/or its affiliates. All rights reserved.

AMP Everywhere

AMP for

FirePOWER

FireAMP

ESA

WSA

CWS

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Se

cu

rity

Eff

ec

tive

ne

ss

TCO per Protected-Mbps

Cisco Advanced

Malware Protection

Best Protection Value

99.0% Breach

Detection Rating

Lowest TCO per

Protected-Mbps

NSS Labs Security Value Map (SVM) for Breach Detection Systems

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Defend Against Threats During The Attack DURING

Challenge

Previous, bulky malware solution was not

centrally managed which made it difficult for IT to

monitor and troubleshoot the network effectively.

Solution Installed FireAMP on endpoints for a lighter

footprint, central monitoring and real-time, remote

visibility.

Result

FireAMP’s dashboard helped the team find and

stop threats much faster than previous methods.

What used to take them hours now only requires

2-3 minutes. With remote management, the team

is also able to solve many issues remotely and

keep employees productive.

FVC Case Study

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Identify Scope And Remediate Impact After Breach

Challenge

The company is a frequent victim of spear fishing

campaigns with indications of infection emanating

from multiple sources.

Solution

Added FireAMP to a system already using

FirePOWER to enable them to track and

investigate suspicious file activity.

Result

The company gained complete visibility into their

malware infections, determined the attack vector,

assessed the impact to the network and made

intelligent surgical decisions for remediation in a

fraction of the time than it would take to respond

manually.

AFTER

Power Utility Case Study

Q & A