Post on 21-Feb-2017
Advanced Threat Solutionsseearhar@cisco.com / 647-988-4945
Sean Earhard
Advanced Threat Solutions CSEjkerouan@cisco.com / 647-929-5938
Jean-Paul Kerouanton
EXPOSING ADVANCED THREATSAMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
HOW QUICKLY CAN YOUR TEAM—AND YOUR SECURITY VENDORS—DELIVER THE ANSWERS TO THESE QUESTIONS:
WHERE DID IT ORIGINATE?
HOW DID IT SUCCEED?
HOW MANY MACHINES/USERS?
WHAT IS IT DOING NOW?
HOW CAN IT BE STOPPED?
WITH 100% CONFIDENCE?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
24 HOURS IN ENTERPRISE SECURITY vs.
SYSTEMS WILL SUCCESSFULLY STOP A
THREAT72 32
SYSTEMS WILL BE FOUND TO BE
BREACHED6 24
BREACHED SYSTEMS WILL HAVE BEEN
BREACHED FOR OVER A WEEK1 3
DEPLOYED SYSTEMS HAVING
VULNERABLE SOFTWARE48% 28%
MORE LIKELY TO BE BREACHED IF A
VULNERABLE APPLICATION EXISTS 62% 39%
MORE LIKELY TO BE BREACHED IF THEY
HAVE BEEN BREACHED IN THE PAST35% 38%
20162015
B L O C KProtection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED
×
“How are we finding these
failures in our environment?”
“How do we know we’re responding
to the right alerts?”
“How long does it take us to answer these questions?”
“How long does it take us to find the
rest of the machinescompromised by the
same attack?”
“How long does it take us to
redefine security in all our tools?”
R E S P O N D T O A L E R T SSecurity tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress. !
I N V E S T I G A T E I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
?
R E I M A G E + R E C O V E RReimaging is not recovering. The average
compromised machine remains undiscovered for 200+
days.
I M P R O V E D E F E N S E
Reducing the attack surface means upgrading security
policy – but the average organization manages 34-55
security tools.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
1. BLOCK
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Stay
out!
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
BEFOREDiscoverEnforce Harden
DURINGDetect Block Defend
AFTERScope
ContainRemediate
THE ATTACK CONTINUUM
BUDGET BUDGET BUDGETTIME TIME TIME
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Antivirus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Antivirus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
antivirus point in time threat inspection
This population of threats is100% effective, 100% of the time
network point in time threat inspection
web point in time threat inspection
email point in time threat inspection
BEFORE, DURING AND AFTER IN ACTION
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
LEGACY SECURITY PRODUCTION MODEL
1. mass
sample collection
MALWARE
SAMPLE
#A4409K
2.prioritized
sample processing
MALWARE
ANALYSIS
#A4409K
3. prioritized detection creation
SIGNATURE
UPDATE
#A4409K
4.signature payload
distribution
TODAY
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
b260653178.exe
Firefox userconnects to
http://www.downloaders.com
Downloads an unknown
.zipTwo files are accessed
when the .zip is opened, b260653178.exe,
and a PDF.
PDF Reader application is opened to read the PDF.
Acrobatlaunches
svchost.exe
svchost.execonnects to
http://192.168.1.12
File #3, connects to 4 IP addresses
File #3 opens a dialog window and awaits response.
The last unknown file launches
calc.exe, hollows the process and
begins listening for remote connections
Geolocates and then connects to a C&C
server
3 files are downloaded
but 2 are blocked by
AMP
File#4is
downloaded
AMP Cloudissues a
retrospectiveblock
ATTACK FLOW EXAMPLE
37%
FALSE NEGATIVES
ARE COUNTED AS
SECURITY ‘WINS’
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
WHAT ISGARTNER
ADVISING ABOUT THIS?
65% of CEOs say their risk management
approach is falling behind.
In a new reality where security breaches come at
a daily rate, we must move away from trying to
achieve the impossible perfect protection and
instead invest in detection and response.
Organizations should move their investments
from 90 percent prevention and 10 percent
detection and response to a 60/40 split.
Peter Sondergaard
Senior VP and Global Head of Research
Gartner
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
WHO IS THE TOP‘DETECTION AND
RESPONSE’ VENDOR?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
NSS LABS: BREACH DETECTION SYSTEMS
Over 5 billion discrete data
elements
Hundreds of victim machines
Collection and analysis of
Terabytes of logs
Hundreds of discrete
samples used in current
campaigns
Exploits, malware, and
evasion testing was
performed using regularly
abused compromise
mediums such as web and
email—leveraging multiple
common document types
Over 100 unique evasion
mechanics were tested
ONLY VENDOR TO BLOCK 100% OF EVASION TECHNIQUES
TOP VENDOR 2 YEARS IN A
ROW
CISCO AMP RATED 99.2%EFFECTIVE
AMP
2015 Gartner MQ for Intrusion Prevention Systems
“The Advanced Malware
Protection (AMP)
products provide a
quicker path to adding
advanced threat
capabilities… competing
well against stand-alone
and established
advanced persistent
threat (APT) solution
vendors.”
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
THE CISCO
RESPONSE
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
OVERVIEWAMP
Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
600
engineers, technicians,
and researchers
35%
worldwide email traffic
13 billion
web requests
24x7x365 operations
4.3 billion web blocks per day
40+ languages
1.1 million incoming malware
samples per day
AMP Community
Private/Public Threat Feeds
Talos Security Intelligence
AMP Threat Grid Intelligence
AMP Threat Grid Dynamic
Analysis
10 million files/month
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source
Communities
AEGIS Program
Email Endpoints Web Networks IPS Devices
WWW
Automatic
updates
in real time
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
101000 0110 00 0111000 111010011 101 1100001
1100001110001110 1001 1101 1110011 0110011 10100
1001 1101 1110011 0110011 101000 0110 00
Cisco®
Collective
Security
IntelligenceCisco Collective
Security Intelligence Cloud
AMPAdvanced Malware Protection
3.5 BILLION
SEARCHES
TODAY
18.5B
CLOUDAMP
20.1 BILLION THREATS BLOCKED
TODAY
TALOSTHE CISCO SECURITY AND INTELLIGENCE RESEARCH GROUP
AMPCONTINUOUSLY RECORD ACTIVITY REGARDLESS OF DISPOSITION
AMP
CLOUD
PRIVATE CLOUD
AMP ThreatGrid
CONTINUOUS BACKGROUND ANALYSIS
vs.
AMPCLOUD
SYSTEMIC
RESPONSE
RETROSPECTIVE
DETECTION
HQ STORE: POS
DATA CENTER
ENDPOINT
MALWARE
EVENTS
SHARED
AMPAMPAMPAMPAMP
AMPAMPAMP AMP
AMP AMP AMP
TH R EATGR ID AMP
OR
TALOSSEC U R ITY AN DIN TELL IGEN C ER ESEAR C H
Fi reSIGH T
AMPAPPLIANCE(NGIPS)
AMP
CLOUDAMP
AM P FOR EN D POIN TS
THREATGRIDDYNAMICANALYSIS
C ISC O W EB
C ISC O EM AIL AMP
AMP
ASA + FPS AMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
AMPWORKFLOW IN ACTION
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
AMP INFRASTRUCTURE
AMP ARCHITECTURE
TALOS
AMPFOR
ENDPOINT
FIRESIGHTMANAGEMENTCENTER
AMPAPPLIANCE(NGIPS)
AMP
THREATGRIDDYNAMICANALYSIS
EQUIVALENT COMPETITIVE ARCHITECTURE
B L O C KProtection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times. ×
!
?
“How are we finding these
failures in our environment?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
NETWORK:
• Start with Blocking: IP, IPS, Files
• Tracking Files: Good, Unknown, Bad
• Unknown Files = Dynamic Analysis
• Retrospective Events
ENDPOINT
• Tracking Files
• Tracking Behavior
• Blocking examples: IP, IoC, Files
• Dynamic Analysis
• Retrospective Events
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Lb260653178.exe
Firefox userconnects to
http://www.downloaders.com
Downloads an unknown
.zipTwo files are accessed
when the .zip is opened, b260653178.exe,
and a PDF.
PDF Reader application is opened to read the PDF.
Acrobatlaunches
svchost.exe
svchost.execonnects to
http://192.168.1.12
File #3, connects to 4 IP addresses
File #3 opens a dialog window and awaits response.
The last unknown file launches
calc.exe, hollows the process and
begins listening for remote connections
Low prevalence analysis delivers a retrospective block
Tries to geolocateand then connect to
a C&C server
3 files are downloaded
but 2 are blocked by
AMP
File#4is
downloaded
AMP Cloudissues a
retrospectiveblock
DEVICE
TRAJECTORY
TRIGGERED
FILE
TRAJECTORY
TRIGGERED
THREATGRID
DYNAMIC
ANALYSIS
TRIGGERED
SNORT
RULE
ANALYSIS
TRIGGERED
RETROSPECTIVE
BLOCK
SYSTEMIC
BLOCK
LOW
PREVALENCE
THREATGRID
DYNAMIC
ANALYSIS
TRIGGERED
L
AMP FOR NETWORK AMP FOR ENDPOINT DETECTION
ATTACK FLOW vs. AMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
2. RESPOND TO ALERTS
R E S P O N D T O A L E R T SSecurity tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
B L O C KProtection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times. ×
!
?
“How are we finding these
failures in our environment?”
“How do we know we’re responding
to the right alerts?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X TIn real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
• Alert overload example
• Unfiltered: List of Intrusion Events
• By Impact: List of Intrusion Events
• How? Passive Discovery Overview
• Endpoint: Vulnerable Software
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
3. INVESTIGATE INCIDENTS
R E S P O N D T O A L E R T SSecurity tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
I N V E S T I G A T E I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
B L O C KProtection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED
×
!
?
“How are we finding these
failures in our environment?”
“How do we know we’re responding
to the right alerts?”
“How long does it take us to answer these questions?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X TIn real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
V I S I B I L I T Y + C O N T R O LBecause AMP records the history of the
environment, your team can quickly scroll back
time to discover what happened.
• Identify ‘patient zero’ – the first victim.
• Determine the attack scope – how malware
traversed the organization.
• Contain the event, understanding all affected
systems.
• Remediate quickly, focusing on high-priority
events and systems.
• Prevent reinfection by identifying the root
causes.
Workflow: Investigate Incidents
• Network
• Endpoint
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
4. REIMAGE AND RECOVER
R E S P O N D T O A L E R T SSecurity tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
I N V E S T I G A T E I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
B L O C KProtection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
R E I M A G E + R E C O V E RReimaging is not recovering. The average
compromised machine remains undiscovered for 200+
days.
×
!
?
“How are we finding these
failures in our environment?”
“How do we know we’re responding
to the right alerts?”
“How long does it take us to answer these questions?”
“How long does it take us to find the
rest of the machinescompromised by the
same attack?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X TIn real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
V I S I B I L I T Y + C O N T R O LBecause AMP records the history of the
environment, your team can quickly scroll back
time to discover what happened.
• Identify ‘patient zero’ – the first victim.
• Determine the attack scope – how malware
traversed the organization.
• Contain the event, understanding all affected
systems.
• Remediate quickly, focusing on high-priority
events and systems.
• Prevent reinfection by identifying the root
causes.
S Y S T E M I C R E S P O N S E
AMP works through the cloud, enforcing security response
everywhere it is installed. Before we can react to alert, AMP is
already blocking on the network, endpoints – even laptops off our
network, email and web.
Systemic Response
• Example
Move beyond blind reimaging:
• Identify root cause (review)
• Roll back time even after reimaging
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
5. IMPROVE DEFENSE
R E S P O N D T O A L E R T SSecurity tools generate 100’s, even
1,000’s of alerts each day. Any one of
those could be a breach in progress.
I N V E S T I G A T E I N C I D E N T S
When a cybersecurity incident impacts
the business, the business needs answers:
• Where did it start?
• How did it succeed?
• How long have we been
compromised?
• How many machines are impacted?
• How can it be stopped?
B L O C KProtection fails. Today, 1.5M unique threats will
be discovered – even 99.9% protection will fail
1,500 times.
R E I M A G E + R E C O V E RReimaging is not recovering. The average
compromised machine remains undiscovered for 200+
days.
I M P R O V E D E F E N S E
Reducing the attack surface means upgrading security
policy – but the average organization manages 34-55
security tools.
TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED
×
!
?
“How are we finding these
failures in our environment?”
“How do we know we’re responding
to the right alerts?”
“How long does it take us to answer these questions?”
“How long does it take us to find the
rest of the machinescompromised by the
same attack?”
“How long does it take us to
redefine security in all our tools?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y
AMP blocks threats, but it doesn’t stop there. AMP uses
big data analytics to continuously analyze the history
of endpoint and network behavior in your environment
– uncovering advanced threats and rewinding history
to block them.
T H E P O W E R O F C O N T E X TIn real-time, AMP Appliances passively discover the
environment they are protecting – mapping the
vulnerabilities of each host. An attack leveraging
actual vulnerabilities of the target host is a true top
alerts.
“AMP finds what our other tools
miss”
“We used to have to choose from 1,000’s of alerts…now
we know the 4-6 critical alerts for our
environment”
“What used to take us 2 weeks or 2
months now takes us 2 minutes”
“Instead of spending 4 hours each day chasing our tools, we’re
blocking everywhere,
automatically”“It would have taken 2 hours a day
to do what’s being done
automatically”
V I S I B I L I T Y + C O N T R O LBecause AMP records the history of the
environment, your team can quickly scroll back
time to discover what happened.
• Identify ‘patient zero’ – the first victim.
• Determine the attack scope – how malware
traversed the organization.
• Contain the event, understanding all affected
systems.
• Remediate quickly, focusing on high-priority
events and systems.
• Prevent reinfection by identifying the root
causes.
S Y S T E M I C R E S P O N S E
AMP works through the cloud, enforcing security response
everywhere it is installed. Before we can react to alert, AMP is
already blocking on the network, endpoints – even laptops off our
network, email and web.
S H A R E D S E C U R I T Y I N T E L L I G E N C EWith AMP ThreatGrid, both Cisco industry partners and non-
Cisco solutions can benefit from dynamic analysis executed by
AMP, automatically improving your defense.
Integration
• How sharing Threat Intelligence works
• Adding integration
• Invitation to review your environment?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Shares the results of dynamic analysis
(sandboxing) of your files, and threat
intelligence feeds, with your existing
security.
• Firewall
• IPS/IDS
• Gatway/Proxy
• Network Taps
• SIEM
• Log Management
• Endpoint Security
• Other tools
TH R EATGR ID TG
THREATGRID
OR
NEXT STEPS
1. “Cisco AMP”
2. Scoping Call
3. Custom Demo
4. POC
Sean Earhard
seearhar@cisco.com / 647-988-4945