Guillermo GonzálezSecurity Systems EngineerOctubre 2017

Advanced Malware Protection

Cisco Security

The New Security Model

Attack Continuum

Data Center/Servers EndpointsEmail and Web Network Mobile

Before During AfterBefore

Discover EnforceHarden

DuringDetect Block

Defend

AfterScope

ContainRemediate

Threat intelligence and analytics

Point-in-Time detection

Retrospective security and continuous analysis

Gain security backed by the most advanced threat intelligence

00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00

III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00

III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I000I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I

III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00

24 � 7 � 365 Operations

100 TBOf Data Received Daily

1.5 MILLIONDaily Malware Samples

600 BILLIONDaily Email Messages

16 BILLIONDaily Web Requests

MILLIONSOf Telemetry Agents

4Global Data Centers

Over 100Threat Intelligence Partners

250+Full Time Threat Intel Researchers

Globalscanning

30 years building the world’s networks

WEB

ENDPOINT

CLOUD

EMAIL

VIRTUAL

NETWORK

Cisco Advanced Malware ProtectionBuilt on Unmatched Collective Security Intelligence

§ 1.6 million global sensors§ 100 TB of data received

per day§ 150 million+

deployed endpoints§ Team of engineers,

technicians, and researchers

§ 35% worldwide email traffic

§ 13 billion web requests§ 24x7x365 operations§ 4.3 billion web blocks

per day§ 40+ languages§ 1.1 million incoming

malware samples per day§ AMP Community§ Private/Public

Threat Feeds

§ Talos Security Intelligence§ AMP Threat

Grid Intelligence§ AMP Threat Grid Dynamic

Analysis 10 million files/month

§ Advanced Microsoft and Industry Disclosures

§ Snort and ClamAV Open Source Communities

§ AEGIS Program

Web

WWW

Endpoints DevicesNetworksEmail IPSAutomatic Updates in real time

101000 0110 00 0111000 111010011 101 1100001 1101100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00 Cisco®

Collective Security

IntelligenceAMP Threat

Intelligence Cloud

AMPAdvanced Malware Protection

AMP Plan A: The Prevention AMP Plan B: Retrospective Security

1-to-1 Signatures

Ethos (Polimorph)

Spero (Machine Learn)

IOCs

DynamicAnalysis

AdvancedAnalytics

Device FlowCorrelation

All Methods < 100% Detection

Reputation Filtering Behavioral Detection

Continuous Analysis and Retrospective Security

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioralIndications

of Compromise

Threat Hunting

Retrospective Detection

Continuous

www.cisco.com/go/amp

Cisco AMPCisco AMP gives you the answers for the most common questions after a Breach

Looks ACROSS the organization and answers:• When did it happen?• Where is patient 0? • What systems were infected?• What was the entry point?• What else did it bring in?

The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense

AMPThreat Intelligence

Cloud

Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat Linux for servers and datacenters

AMP on Web and Email Security AppliancesAMP on Cisco® NGFW

Firewalls

AMP Private Cloud Virtual Appliance

AMP for Networks (AMP on Firepower NGIPS

Appliance bundle)

AMP on Cloud Web Security and Hosted Email

CWS/CTA

Threat GridMalware Analysis + Threat

Intelligence Engine

AMP on ISR with Firepower Services

AMP for Endpoints

AMP for Endpoints

Remote Endpoints

AMP for Endpoints can be launched from AnyConnect

Cisco AMPAMP Everywhere

INTERNET

ON NETWORK

ALLOTHER

TRAFFICWEB

TRAFFICEMAIL

TRAFFIC

INTERNETALL

OTHERTRAFFIC

WEBTRAFFIC

EMAILTRAFFIC

OFF NETWORK

ASA / FirepowerMerakiblocks inline by IP, URLor packet

ESA/CESblocks by sender

or content

WSA/CWSblocks by URL or content via proxy

ESA/CESblocks by sender

or content

CWSblocks by URL or content via proxy

OpenDNSblocks by domainas well as IP or URL

OpenDNSblocks by domainas well as IP or URL

How it works

Internet AMP Connector

Check hashAMP

ThreatGrid Connector

Submit file

NGFWMalwareSandbox

SecurityWebProxy

NGIPSNGIPS

Cisco ESA Email

Security Appliance with AMP

MailServer

FileServer

Cisco FMC

LogManagement

VulnerabilityManagement

Users NetworkSOC / NOC

Admin Network

DMZ Production

DMZ Security

DMZ Security 2

8A8116429189D631FC0059627....

CLEANUNKNOWN

AMPThreat Intelligence

Cloud

Score > 90

MALICIOUSAMP on ESA

Score < 91MALICIOUS

Cisco Email Security

ReportingMessage Track

Management

Allow Warn

Admin

HQ

Anti-Spam and

Anti-Virus

Mail Flow Policies Data Loss

Protection Encryption

Before DuringX XXX

Inbound Email

Outbound Email

CiscoAppliance Virtual

Talos

Block Partial Block

Outbound Liability

BeforeAfterDuring

Tracking User click Activity

(Anti-Phish)

File Sandboxing & Retrospection

X X XXX

Cloud

ContentControls

X

EmailReputation

AcceptanceControls File

ReputationAnti-SpamAnti-Virus Outbreak

Filters

X

Mail FlowPolicies Graymail

ManagementSafe Unsubscribe

X

Anti-PhishThreatGrid URL Rep & Cat

AMP with ThreatGrid

Starting with the 9.5 version of code, public cloud and local sandboxing is supported

Email

Cisco AMP ThreatGrid

ESAAMP

connector

Local AV Scanners

File Reputation Query

Cisco TalosAMP Cloud

Qualified File, upload for

Sandboxing

AMP feedback loop only for

Malicious Files

Sandbox connector

AMP Client

Local Cache

Heartbeat retrospective

Pre-Classification

Disposition QueryUpdate the Cache with disposition

value & upload_action 2

AMP for NetworksPlan B: Security Retrospective

www.cisco.com/go/amp

These applications are affected

What

The breach affected these areas

Where

This is the scope of exposure over time

When

Here is the origin and progression of the threat

How

Focus on these users first

Who

AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage