AMP for Endpoints, Cloud Email Security, Cisco Threat Response · 2019-10-10 · AMP for Endpoints,...
Transcript of AMP for Endpoints, Cloud Email Security, Cisco Threat Response · 2019-10-10 · AMP for Endpoints,...
AMP for Endpoints, Cloud Email Security, Cisco Threat Response
8/10 – 2019
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
An integrated portfolio creates value for customers
Open APIs · Developer Environment · Services
Best of Breed Portfolio
EndpointNetwork Cloud
Leading Threat Intelligence
Management · ResponseDeploy Policy
InvestigateDetect Remediate
3rd Parties160+
security tech
partners
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Share intelligence across network, web, email, and endpoints to see once, block everywhere.
Talos Threat GridAMP Cloud
See once, block everywhere
NGIPS CES/ESA WSA/SIGISRNGFW Endpoints
AMP for Endpoints
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why choose next gen endpoint security?
Traditional antivirus (AV) is just that; traditional
Next gen endpoint security is simply better, faster
Threats they miss
57%
Attacks they block
43%
Ineffective at targeted attacks & unknown threats
Cumbersome & costly to deploy and maintain
Siloed and disconnected w/ other security tools
Better protection against known & unknown threats
Cloud form factor = faster time to protection
Easier to integrate w/ broader security architecture
99%
Up to 99% efficacy rating Higher FTE cost savings
$
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The daily struggle to react to alerts and troubleshoot potential or real incidents
Security tool selection vs. Security delivery
Security Delivery
Tool Deployment
Tool Selection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
So what’s happens when one is missed?
Initial Disposition = Clean Actual Disposition = Infected Too Late!
Blind to scope of compromise
Prevention tools are insufficient and can never catch 100%
AV Analysis Stops• Sleep Techniques• Unknown Protocols• Encryption• Polymorphism
Preventing malware attacks is Ideal, but you can never prevent 100% of attacks.
IPS
Traditional Point-in-Time Detection
Initial Inspection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Prevent
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Prevent threats at the point of entryContinuous Protection
One-to-OneSignature
Fuzzy Finger-printing
Machine Learning
Device Flow Correlation
Block files using SHA256 hashes or AV signatures and compare them against the AMP Cloud Database
Use trained ML models to identify malicious files based on static attributes
Block malicious IP communications to and from the endpoint
Block families of malware that rely of polymorphism to bypass detection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Prevent threats with behavioral detectionContinuous Protection
Exploit Prevention
System ProcessesProtection
Malicious ActivityProtection
Identify threats exploiting trusted processes in memory (file less malware)
Prevent ransomware before it encrypts your entire disk
Prevent system processes from being exploited through memory injection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Higher threat efficacy validated by third party testing
Validated by independent tests: AV Comparatives, Miercom, and NSS Labs
Powered by Talosthreat intelligence
Strong prevention – multiple engines and blocking tools
Malware Protection Test
Real WorldProtection Test
Protection Rate
False Alarms
99.8%
99.2%
0
0
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detect
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Close attack pathways, uncover stealthy malware, and reverse-analyze suspicious threats.
AMP4EP Detection Tools
Vulnerable surface detection
The vulnerabilities feature shows, across all endpoints, software known to be vulnerable to malicious attacks and recommends patching options
Low Prevalence Our low prevalence feature shows you applications on endpoints that are flying under the radar, and lets you take a closer look to see if there’s any malicious behavior happening.
Indications of Compromise
File, telemetry, and intrusion events are correlated and prioritized as potentially active breaches, helping security teams to identify malware incidents and connect them to coordinated attacks. Users can also create and track their own custom IoCs to catch targeted attacks specific to applications in their environment.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP4EP Detection Tools
Close attack pathways, uncover stealthy malware, and reverse-analyze suspicious threats.
API IntegrationsWith a bi-directional (read and write) API enabled on AMP for Endpoints, users can more easily integrate with third-party security tools and SIEMs, and access data and events in their AMP for Endpoints account without the need to log into the management console.
Integration with Cognitive Threat Analytics (CTA)
When AMP4EP is deployed alongside a compatible web proxy, like Cisco WSA, or Blue Coat ProxySG, CTA can be Integrated with AMP4EP to uncover file-less or memory-only malware as well as infections that live in a web browser only. CTA monitors web traffic in and out of endpoints to detect command and control and catch malware before it compromises the OS-level
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Proactive: no antecedent required
• Real time search across all endpoints for
• Registry keys• Users • Processes• Applications• And much more
• Seamless investigation and remediation with Cisco Threat Response
Orbital Advanced Search
Simplify threat huntingand investigation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Respond
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Isolate infected hosts from the rest of the network
• Contain the threat without losing forensics data
• Shrink remediation cost by limiting the scale of attack
• Fast endpoint reactivation once remediation is complete
Endpoint Isolation
Contain attack fast
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP Everywhere – See More. Respond Faster.Get visibility and control across all attack vectors to defend against
today’s most advanced threats.
Supercharge your next-generation firewall by turning on AMP capabilities on the Cisco Firepower NGFW or the Cisco ASA with FirePOWER™ Services.
AMP for Firewalls
Get deep visibility into threat activity and block advanced malware with AMP deployed as a network-based solution running on AMP-bundled NGIPS
AMP for Networks
Combat and block network-based threats by deploying AMP capabilities on the Cisco® Integrated Services Router (ISR).
AMP for ISR
An on-premises appliance or cloud-based solution for static and dynamic malware analysis (sandboxing) and threat intelligence.
Threat Grid
Protect your endpoints! Get visibility into file and executable-level activity, and remediate advanced malware on devices running Windows, Mac OS, Linux, and Android.
AMP for Endpoints
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP Everywhere – See More. Respond Faster.Get visibility and control across all attack vectors to defend against
today’s most advanced threats.
Add AMP to a Cisco Web Security Appliance (WSA) or Cisco Cloud Web Security (CWS) and get visibility and control to defend against advanced threats launched from the web.
AMP for Web
For high-privacy environments that restrict the use of the public cloud, use an on-premises, air-gapped private cloud deployment of AMP for Networks or AMP for Endpoints.
AMP for Private Cloud Virtual Appliance
Add AMP to Cisco Meraki® MX and take advantage of simplified threat protection with advanced capabilities, providing visibility into threats on your network across multiple sites.
AMP for Meraki MX
Add AMP to a Cisco Email Security Appliance (ESA) and get visibility and control to defend against advanced threats launched via email.
AMP for Email
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Automates & Orchestrates across security products
• Integrates with AMP, Umbrella, Threat Grid, …
• Accelerate response with AMP and Umbrella blocks
• Integrated casebook• Extensible to third parties (e.g.,
Virustotal)• Email security integration now in beta,
Firepower FMC coming soon• Browser plugin for cross-platform
support
Cisco Threat ResponseIntegrating security for faster defense
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Zero TrustA zero-trust approach to securing access across your applications and environment, from any user, device and location.
AMP helps you:• Prevent advanced threats at
the point of access and continuously monitor endpoint files
• Contain infected endpoints and revoke network access
• Integrates with other zero trust technologies such as Cisco DUO multi-factor authentication, Cisco AnyConnect VPN, and Cisco Umbrella secure internet gateway
Support your zero trust architectureWorkforce
Ensure only the right users and secure devices can access
applications
WorkloadSecure all connections
within your apps, across multi-cloud
WorkplaceSecure all user and device connections
across your network, including IoT
Enforce Policy-Based Controls
Email Security
Business Email Compromise (BEC)
Phishing
$5.3 Billion in losses2 $9.1 Billion in 20173
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
54% of legitimate domains used in phishing campaigns4
Domain Compromise
Attackers Use Multiple Ways to Get In
Malware
Ransomware detections up 90% in 20171
https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf
Business Email Compromise, E-mail Account Compromise
https://www.malwarebytes.com/pdf/white-papers/CTNT-Q4-17.pdf https://www.rsa.com/content/dam/en/in
fographic/2017-global-fraud-forecast.pdf
Protect against business email compromise (BEC)
Sender: Block Fraudulent Emails
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect against advanced phishing and BEC
Authenticate senders using certain protocols
Protect your organization’s executives
Advanced Phishing ProtectionDKIM, SPF and DMARC Forged Email Detection
Sender: Remove BEC Emails already in inboxes
Payroll Email
HR Email
Email to Executive(Potentially malicious)
Employee Inbox
Payroll Email HR Email
Malicious Email Removed
Remediation
Email to Executive(Potentially malicious)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attachments: Block Known and Emerging Malware in Files
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Block 100% of files with known viruses or malware
Protect against emerging malware with real-time intelligence updates
Anti-Virus Outbreak Filters
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attachments: Combat Targeted Malware with A Powerful Ecosystem
Find out if a file contains a threat
Analyze new files in a secure environment
Get alerted when malware emerges in your network
Automate removal from O365 inboxes
Correlate threats across the endpoint, network and cloud email to block threats faster and more efficiently with AMP Unity
Advanced Malware Protection (AMP)
URLs: Block Malicious Links Used in Phishing
Efficient URL inspection with an industry-leading web security portfolio
Analyze threat reputation and categorization to detect malicious links
in emails
Get real-time analysis of questionable links to protect against newly infested
sites
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Content Filters Outbreak Filters
Analyze the context of the entire message
Block Unwanted Emails with Accuracy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Drop over 80% of bad emails
Block over 99% of spam with accuracy
Reduce admin burden with unwanted email
Customize what enters your network
Sender Profiling Anti-Spam Graymail Detection Content Filters
Inbound and Outbound Protection
Inbound
Cisco Email Security with Advanced Malware
Protection andThreat Grid
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Outbound
Cisco Advanced Phishing
Protection
Cisco Domain Protection
Cisco Email Security with Data Loss Prevention
and Encryption
Protect Your Data and Brand
Data loss prevention
Use pre-defined policies to stop data loss via outgoing email
Encryption
Secure sensitive data in transit easily to achieve compliance
Domain protection
Prevent attackers from using your domain in phishing campaigns
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Securing outbound email
Protect Your Customers and Partners
Identify 3rd party email senders
100%
100%
SPF Pass
DKIM Pass
100%
0.4%
SPF Pass
DKIM Pass
Volume: 32,078 Volume: 4,047
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FailPass
6 June 18 June12 June
300
0
150
Authenticate 3rd party email senders