cisco amp4e - step ahead of modern threats · meraki cloudlock cisco has built, acquired and...

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.© Ingram Micro Inc.1

Cisco AMP4E - Step Ahead of Modern

Threats

Dragan Ilić

Solution Architect Networking/Cyber Security SEE

CCIE, CISSP

[email protected]

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The way we work has changed

Business appsSalesforce, Office 365,

G Suite, etc.

Branch office

Critical infrastructureAmazon, Rackspace, Windows

Azure, etc.

Roaming laptops

Workplace desktops

Business apps

Critical infrastructure

Internet


Cisco

Threat Intel

Incident Response

Internet Investigations

File Investigations

Network

User/

Endpoint

Cloud

SD-Perimeter

NGFW

UTM

Web Security

VPN RA &Device Visibility

MFA / SSO BYOD

SD-PerimeterEmail Security

EPP / EDR

SIG / CASB

WorkloadProtection

Security Analytics

Trusted Access Threat Defense


Security Analytics

NGIPS

Cisco Security Portfolio

Customer

SOC

Network

ISR/ASR

Web W W W

Email

NGFW/

NGIPS

Threat Grid

Meraki

Cloudlock

Cisco has built, acquired and

partnered to deliver a Security

Architecture that facilitates

context, policy, event, and

threat intelligence sharing

Native integrations provide

simplicity through automation,

save time for security

operations, and provide better

protection through faster threat

detection

AMP

Umbrella

Stealthwatch

ISE

Cisco Security Architecture


The Most Dangerous 1% of Threats Try to Hide



• Prevention, Detection, and Response in a single solution

• See the 1% everyone else misses

• Rapid deployment in the cloud or on-premises

• Reduce time to detection <4 hours

• Automated remediation: see once, block everywhere

• Broad platform coverage to protect your business

1%

See What You’ve Been Missing

Endpoint Security from Cisco


Cisco AMP Detection FrameworkEngines / Capabilities

Reputation Filtering Behavioral Detection

Dynamic Analysis

(Threat Grid)

Machine Learning(Spero)

Fuzzy Finger-printing

(Ethos)

Advanced Analytics(CTA)

One-to-OneSignature(SHA256)

Indications of Compromise

(IOC)

Device Flow Correlation

Also, offline engines in AMP for Endpoints (TETRA, ClamAV, Exploit Prevention)


© 2018 Cisco and/or its affiliates. All rights reserved. Cisc o Confidential

The Convergence of EPP and EDR

Next Gen Endpoint Security

• A tool which detects and prevents

malware infections and provides visibility

and control for post infection investigations

Endpoint Detection and Response

• Visibility tool for detection, Incident

Response support (post-incident

investigation), for proactive threat hunting

• Handling what traditional AV missed

Endpoint Protection Platforms

• Integrated solution with the following

capabilities: anti-malware, personal

firewall, port and device control

• Traditional AV (signature-based approach)

1

2


Protection LatticeReducing Time to Detection



In Memory

• Make the application aware of the new legitimate memory structure

• Any code accessing the old memory structure is malware and is trapped

• No performance penalty, signatureless

Inside the Memory Space

Decoy System Resources

New System ResourcesTrusted Code

Trap

Exploit Prevention Overview

• Make the memory unpredictable by proactively changing its structure

Malicious


2

0

Code Injection

Attack Prevented and Trapped


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Malicious Activity Protection

• Runtime protection against abnormal behaviors of running programs

• Monitor processes reading, writing, renaming, deleting files in rapid succession (ransomware)

28

User executes a file A file or a process starts encrypting files on disk

Ransomware behavior isattributed and blocked orquarantined (per policy)

On Disk

1 2 3


Anti-Virus & Custom Blocklist

• Offline Anti-Virus engine for Windows: TETRA

• On-prem Anti-Virus update Server

• Custom File Blocking

• Simple:

• SHA256 hash

• Advanced:

• MD5 hash

• PE section-based signatures

• File Body-based signatures

• Extended signature format (offsets, wildcards, regex)

• Logical signatures

• Icon signatures

On Disk

TETRA definitions from cloud

Internal Updates

External Updates

Customer premises

TETRAUpdate Server

Public Wi-Fi

TETRA definition updates

AMP Cloud

3

0



Cloud IOCs = Detect Likely BreachesPost-Compromise

• Surface suspicious behavior on a host, a combination of events with malicious intent

• No automated blocking, trigger investigations

• Driven by Cisco Research team

3

1


• Example threat detections:

• Word document launching shell

• Powershell downloaded a file

• Registry keys modified to persist

• WMI executed on a remote system


Device Flow Correlation

• A kernel-level view into Network I/O that allows blocking or alerting on network activity tracked back to the initiating process (dropper detection)

• Relies on Cisco Talos Intelligence/IP Reputation Data for blocking of connections to known:

• C&C hosts

• Phishing hosts

• Botnet hosts, etc

• Custom user-defined IP whitelists and blacklists

Users

Timestamp

Device

IP/Port/Protocol

Destination

IP/Port/Protocol

URLs / Domains

File downloads

C&C

C&C Server

3

2


Post-Compromise


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-3446

Configuring Engines

Malicious Activity Protection

Quarantine will block & remove the

offending file.

System Process Protection

Enabled / Disabled only, extends

SelfProtect to system processes

Exploit Prevention (ExPrev)

Enabled / Disabled only – all

protected applications will be

protected


Powered by Cisco TalosThe Largest Commercial Threat Intelligence Team in the World

• 100 TB of data receivedper day

• 1.6 million global sensors

• More than 150 million deployed endpoints

• Experienced team ofengineers, technicians, and researchers

• 35% worldwide email gateway traffic

• AMP Threat Grid intelligence

• AMP Threat Grid dynamic analysis: 10 million files per month

• 13 billion web requests

• 24x7x365 operations

• 4.3 billion web blocksper day

• 40+ languages

• 1.5 million incoming malware samples per day

• AMP Community

• Private/publicthreat feeds

• Advanced Microsoft and industry disclosures

• Snort and ClamAV open source communities

• AEGIS Program

noun, Classical Mythology

The defender of the shore

600 BillionEmail Samples

16 BillionWeb Requests

3.4 BillionAMP Queries

EVERY

DAY

19.7 Billion Threats Blocked DAILY

About 3 threats per person

7.5 BillionTotal World Population

Differentiating through TalosUnmatched Visibility and Threat Research

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.© Ingram Micro Inc.19

Cisco Threat Response


“How did it happen and what more do I need to know?”

Goals

Age: 32

Work:

Biography:Security events requiring deeper investigation come to me. I focus on finding the proper security data and determine what happened: Why, When, and then come up with recommendations for future prevention.

1. Monitor network and safely gather artifacts for concerning events

2. Iteratively reconstruct an event by correlating findings from multiple sources

3. Modify procedures and employ remediation strategies

1. Sifting through disparate information sources and tools

2. Accurately tracing evidence

3. Thoroughly understanding erratic activity

4. Communicating what happened to non-technical audiences

The Incident Responder

0 9

Challenges

SOC Data Center Desk

Security Investigator Experience (Years):

10


Why?

SecOpsInternal

MonitoringThreat

Intelligence

Has it affected

us?

How?

Is it bad?

Threat Response – Put it All Together


SecOps

EPP NGIPS DNSSecurity Etc

FileAnalysis

Domainreputation

IPreputation

Etc

EPP logs NGIPSlogs

DNSlogs Etc

CiscoThreat

Response



SecOps

FileAnalysis

Domainreputation

IPreputation

Etc

EPP logs NGIPSlogs

DNSlogs Etc

EPP NGIPS DNSSecurity Etc



Aggregates threat intelligence from our products in a single location

Increases security efficacy by bringing the power of Cisco Talos to every SOC

Improves operational efficiency by reducing detection and remediation time

Demonstrates the power of our integrated security architecture

Cisco Integrated Security Architecture


You’re already entitled to Threat Response if you have...

Cisco Threat Response is included...with select Cisco Security product licenses

Cisco Email Security

Cisco Threat Grid

Cisco AMP for Endpoints

Cisco Umbrella

26Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.26

cisco amp4e - step ahead of modern threats · meraki cloudlock cisco has built, acquired and...

Documents