Unified Malware Analysis and Threat Intelligence

Cisco AMP Threat Grid

Tech update

Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified

Consulting Systems Engineer, Cyber Security, Denmark

Introducing Threat Grid Everywhere

Suspicious file

Analysis report

Edge

Endpoints

Firewalls

& UTM

Email

Security

Security

Analytics

Web

Security

Endpoint

Security

Network

Security

3rd PartyIntegration

S E C U R I T Y

Securitymonitoring platforms

Deep Packet

Inspection

Gov, Risk,

Compliance

SIEM

Dynamic Analysis

Static Analysis

Threat Intelligence

AMP Threat Grid

Cisco Security Solutions Network Security Solutions

Suspicious file

Premium content feeds

Security Teams

Automatically submit suspicious filesAutomated analysis, from edge to endpoint

Submission

Analyst or system (API)

submits suspicious sample to

Threat Grid.

Suspicious file

Edge

Endpoints

ASA w/FPS ESA

Next Gen

IPSWSA

AMP for

Endpoints

AMP for

Networks

Examine files with context-driven analysis

“Outside looking in” approach

No presence in the VM

Proprietary techniques for static and dynamic analyses

Observing all changes to local host and network communications

Downloadable analysis JSON, in minutes

Capability to pivot on any data element

Detailed report identifying key behavioral indicators and threat score

Accurately identify attacks, in near real time

Static and Dynamic analysis execute automatically

F

R

S

Process with additional activity

File activity

Registry activity

Sample process

Legend:

Dynamic Analysis: Process tree visualization

Easily Identify and Prioritize threats

450+ behavioral indicators (and growing)• Malware families, malicious behaviors, and more

• Detailed description and actionable information

Prioritize threats with confidence• Enhance SOC analyst and IR knowledge and effectiveness

(and security product)

Easy-to-understand Threat Scores guide decision making

DEMO

Leverage our global community and scale

Millions of samples analyzed every month

• Near real time analysis

Correlates each sample analysis with billions

of malware artifacts• Exceptional scale and coverage for global threats

Threat intelligence prepares you for tomorrow’s threats

Deploy as needed in your environment

• Secure logical access and physical facility

• No external cloud provider element: Self-

contained processing and storage

(Cisco AMP Threat Grid developed IP and

dedicated hardware)

• Local malware analysis backed by full power of

Cisco® AMP Threat Grid’s cloud

• For regulatory and policy compliance, all data

remains on premises

• Consistent user experience from cloud to

appliance (UI, API, etc.)

Cloud solution Powerful security appliance

Cisco Confidential 8© 2015 Cisco and/or its affiliates. All rights reserved.

Unified Malware Analysis and Threat Intelligence

Performance• High-speed, automated analysis and adjustable runtimes

• Does not expose any tags or indicators that malware can use to detect that it is being observed

• Can observe a greater number of behaviors

Usability• Video playbacks

• Glovebox for malware interaction and operational troubleshooting

• Process Graph for visual representation of process lineage

• Threat Score & Behavioral Indicators

Context• Search and correlate all data elements of a single sample against billons of sample artifacts

collected and analyzed over years (global and historic context)

• Enable the analyst to better understand the relevancy of sample in question to one’s

environment

Integration• Architected from the ground up with an API to integrate with existing IT security solutions

(Automatically receive submissions from other solutions and pull the results into your

environment)

• Create custom threat intelligence feeds

Cisco AMP Threat Grid

Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved.

On-Premise Appliance

Local malware analysis backed by full power of Cisco® AMP Threat Grid’s cloud

For regulatory and policy compliance, all data remains on premises

Continuous, one-way stream of federated data from Cisco AMP Threat Grid helps ensure full context

Consistent user experience from cloud to appliance (UI, API, etc.)

TG5000:

Up to 1500 sample analysis / day

Cisco UCS C220 M3 Chasis (1U)

6 x 1TB SAS HDD with LSI hardware RAID

TG5500:

Up to 5000 sample analysis / day

Cisco UCS C220 M3 Chasis (1U)

6 x 1TB SAS HDD with LSI hardware RAID

Powerful security and compliance

AMP Threat Grid unifies analysis and threat intelligence to deliver…

Context Rich Analytics Seamless IntegrationAutomated Analysis

http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html

Thank you.