cisco amp4e - step ahead of modern threats · meraki cloudlock cisco has built, acquired and...
TRANSCRIPT
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.© Ingram Micro Inc.1
Cisco AMP4E - Step Ahead of Modern
Threats
Dragan Ilić
Solution Architect Networking/Cyber Security SEE
CCIE, CISSP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The way we work has changed
Business appsSalesforce, Office 365,
G Suite, etc.
Branch office
Critical infrastructureAmazon, Rackspace, Windows
Azure, etc.
Roaming laptops
Workplace desktops
Business apps
Critical infrastructure
Internet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco
Threat Intel
Incident Response
Internet Investigations
File Investigations
Network
User/
Endpoint
Cloud
SD-Perimeter
NGFW
UTM
Web Security
VPN RA &Device Visibility
MFA / SSO BYOD
SD-PerimeterEmail Security
EPP / EDR
SIG / CASB
WorkloadProtection
Security Analytics
Trusted Access Threat Defense
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Analytics
NGIPS
Cisco Security Portfolio
Customer
SOC
Network
ISR/ASR
Web W W W
NGFW/
NGIPS
Threat Grid
Meraki
Cloudlock
Cisco has built, acquired and
partnered to deliver a Security
Architecture that facilitates
context, policy, event, and
threat intelligence sharing
Native integrations provide
simplicity through automation,
save time for security
operations, and provide better
protection through faster threat
detection
AMP
Umbrella
Stealthwatch
ISE
Cisco Security Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Most Dangerous 1% of Threats Try to Hide
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Prevention, Detection, and Response in a single solution
• See the 1% everyone else misses
• Rapid deployment in the cloud or on-premises
• Reduce time to detection <4 hours
• Automated remediation: see once, block everywhere
• Broad platform coverage to protect your business
1%
See What You’ve Been Missing
Endpoint Security from Cisco
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco AMP Detection FrameworkEngines / Capabilities
Reputation Filtering Behavioral Detection
Dynamic Analysis
(Threat Grid)
Machine Learning(Spero)
Fuzzy Finger-printing
(Ethos)
Advanced Analytics(CTA)
One-to-OneSignature(SHA256)
Indications of Compromise
(IOC)
Device Flow Correlation
Also, offline engines in AMP for Endpoints (TETRA, ClamAV, Exploit Prevention)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisc o Confidential
The Convergence of EPP and EDR
Next Gen Endpoint Security
• A tool which detects and prevents
malware infections and provides visibility
and control for post infection investigations
Endpoint Detection and Response
• Visibility tool for detection, Incident
Response support (post-incident
investigation), for proactive threat hunting
• Handling what traditional AV missed
Endpoint Protection Platforms
• Integrated solution with the following
capabilities: anti-malware, personal
firewall, port and device control
• Traditional AV (signature-based approach)
1
2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protection LatticeReducing Time to Detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
In Memory
• Make the application aware of the new legitimate memory structure
• Any code accessing the old memory structure is malware and is trapped
• No performance penalty, signatureless
Inside the Memory Space
Decoy System Resources
New System ResourcesTrusted Code
Trap
Exploit Prevention Overview
• Make the memory unpredictable by proactively changing its structure
Malicious
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2
0
Code Injection
Attack Prevented and Trapped
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malicious Activity Protection
• Runtime protection against abnormal behaviors of running programs
• Monitor processes reading, writing, renaming, deleting files in rapid succession (ransomware)
28
User executes a file A file or a process starts encrypting files on disk
Ransomware behavior isattributed and blocked orquarantined (per policy)
On Disk
1 2 3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anti-Virus & Custom Blocklist
• Offline Anti-Virus engine for Windows: TETRA
• On-prem Anti-Virus update Server
• Custom File Blocking
• Simple:
• SHA256 hash
• Advanced:
• MD5 hash
• PE section-based signatures
• File Body-based signatures
• Extended signature format (offsets, wildcards, regex)
• Logical signatures
• Icon signatures
On Disk
TETRA definitions from cloud
Internal Updates
External Updates
Customer premises
TETRAUpdate Server
Public Wi-Fi
TETRA definition updates
AMP Cloud
3
0
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud IOCs = Detect Likely BreachesPost-Compromise
• Surface suspicious behavior on a host, a combination of events with malicious intent
• No automated blocking, trigger investigations
• Driven by Cisco Research team
3
1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Example threat detections:
• Word document launching shell
• Powershell downloaded a file
• Registry keys modified to persist
• WMI executed on a remote system
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Device Flow Correlation
• A kernel-level view into Network I/O that allows blocking or alerting on network activity tracked back to the initiating process (dropper detection)
• Relies on Cisco Talos Intelligence/IP Reputation Data for blocking of connections to known:
• C&C hosts
• Phishing hosts
• Botnet hosts, etc
• Custom user-defined IP whitelists and blacklists
Users
Timestamp
Device
IP/Port/Protocol
Destination
IP/Port/Protocol
URLs / Domains
File downloads
C&C
C&C Server
3
2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Post-Compromise
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-3446
Configuring Engines
Malicious Activity Protection
Quarantine will block & remove the
offending file.
System Process Protection
Enabled / Disabled only, extends
SelfProtect to system processes
Exploit Prevention (ExPrev)
Enabled / Disabled only – all
protected applications will be
protected
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Powered by Cisco TalosThe Largest Commercial Threat Intelligence Team in the World
• 100 TB of data receivedper day
• 1.6 million global sensors
• More than 150 million deployed endpoints
• Experienced team ofengineers, technicians, and researchers
• 35% worldwide email gateway traffic
• AMP Threat Grid intelligence
• AMP Threat Grid dynamic analysis: 10 million files per month
• 13 billion web requests
• 24x7x365 operations
• 4.3 billion web blocksper day
• 40+ languages
• 1.5 million incoming malware samples per day
• AMP Community
• Private/publicthreat feeds
• Advanced Microsoft and industry disclosures
• Snort and ClamAV open source communities
• AEGIS Program
noun, Classical Mythology
The defender of the shore
600 BillionEmail Samples
16 BillionWeb Requests
3.4 BillionAMP Queries
EVERY
DAY
19.7 Billion Threats Blocked DAILY
About 3 threats per person
7.5 BillionTotal World Population
Differentiating through TalosUnmatched Visibility and Threat Research
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.© Ingram Micro Inc.19
Cisco Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“How did it happen and what more do I need to know?”
Goals
Age: 32
Work:
Biography:Security events requiring deeper investigation come to me. I focus on finding the proper security data and determine what happened: Why, When, and then come up with recommendations for future prevention.
1. Monitor network and safely gather artifacts for concerning events
2. Iteratively reconstruct an event by correlating findings from multiple sources
3. Modify procedures and employ remediation strategies
1. Sifting through disparate information sources and tools
2. Accurately tracing evidence
3. Thoroughly understanding erratic activity
4. Communicating what happened to non-technical audiences
The Incident Responder
0 9
Challenges
SOC Data Center Desk
Security Investigator Experience (Years):
10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why?
SecOpsInternal
MonitoringThreat
Intelligence
Has it affected
us?
How?
Is it bad?
Threat Response – Put it All Together
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SecOps
EPP NGIPS DNSSecurity Etc
FileAnalysis
Domainreputation
IPreputation
Etc
EPP logs NGIPSlogs
DNSlogs Etc
CiscoThreat
Response
Threat Response – Put it All Together
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SecOps
FileAnalysis
Domainreputation
IPreputation
Etc
EPP logs NGIPSlogs
DNSlogs Etc
EPP NGIPS DNSSecurity Etc
Threat Response – Put it All Together
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Aggregates threat intelligence from our products in a single location
Increases security efficacy by bringing the power of Cisco Talos to every SOC
Improves operational efficiency by reducing detection and remediation time
Demonstrates the power of our integrated security architecture
Cisco Integrated Security Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
You’re already entitled to Threat Response if you have...
Cisco Threat Response is included...with select Cisco Security product licenses
Cisco Email Security
Cisco Threat Grid
Cisco AMP for Endpoints
Cisco Umbrella