Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS...
Transcript of Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS...
![Page 1: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/1.jpg)
Endpoint Security
![Page 2: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/2.jpg)
![Page 3: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/3.jpg)
Agenda
• AMP + Threat Grid• What is it• Deployment ( Demo ) • Portal
• Umbrella• What is it• Deployment• Portal ( Demo )
• AMP Visability
• Netteams partner portal ( Umbrella )
• Security Portifolio
![Page 4: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/4.jpg)
Umbrella (What is it)
![Page 5: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/5.jpg)
It all starts with DNS
Umbrella
Cisco.com 72.163.4.161
DNS = Domain Name System
• First step in connecting to the internet
• Precedes file execution and IP connection
• Used by all devices
• Port agnostic
![Page 6: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/6.jpg)
Cisco Umbrella
Cloud security platform
Built into the foundation of the internet
Intelligence to see attacks before launched
Visibility and protection everywhere
Enterprise-wide deployment in minutes
Integrations to amplify existing investments
Malware
C2 Callbacks
Phishing
208.67.222.222
![Page 7: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/7.jpg)
Built into foundation of the internet
Umbrella provides:
Connection for safe requests
Prevention for user and malware-
initiated connections
Proxy inspection for risky domains
Safe request
Blocked request
![Page 8: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/8.jpg)
Prevents connections before and during the attack
Command and control callback
Malicious payload drop
Encryption keys
Updated instructions
Web and email-based infection
Malvertising / exploit kit
Phishing / web link
Watering hole compromise
Stop data exfiltration and ransomware encryption
![Page 9: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/9.jpg)
Where does Umbrella fit?Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line
Benefits
Block malware before
it hits the enterprise
Contains malware
if already inside
Internet access is faster
Provision globally in minutes
![Page 10: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/10.jpg)
Your security challenges
Malware and
ransomware
Gaps in visibility
and coverage
Cloud apps
and shadow IT
Difficult to
manage security
![Page 11: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/11.jpg)
![Page 12: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/12.jpg)
![Page 13: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/13.jpg)
Umbrella (Deployment)
![Page 14: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/14.jpg)
![Page 15: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/15.jpg)
![Page 16: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/16.jpg)
![Page 17: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/17.jpg)
![Page 18: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/18.jpg)
Deployment ( Client )
![Page 19: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/19.jpg)
Umbrella (Portal Demo)
![Page 20: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/20.jpg)
![Page 21: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/21.jpg)
AMP + Threat Grid (What is it)
![Page 22: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/22.jpg)
You’ve made significant investments in critical security layers
Next-generation
firewallsNetwork
access control
Intrusion and
prevention systems
Gateway
security
Endpoint
security
![Page 23: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/23.jpg)
But it’s impossible to block 100% of threats,100% of the time
Single points of inspection have their limitations
Current defense in-
depth approach
is built on binary
detection
Known threats are blocked
Good files make
it through
NGIPS EndpointWSAESA ISRNGFW
Unknown threats are
passed to the next system
?
?
?
?
?
?
?
?
![Page 24: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/24.jpg)
When an incident turns into a breach, the cost to businesses is significant
*Source: Ponemon Cost of Security Breach Report 2017
**Source: Cisco Annual Security Report 2017
23% of organizations lost
business opportunities
as the result of a breach **
23%
The average per capita
cost of data breach was
$225 in the U.S. *
$225
The average cost of post-
breach remediation efforts is
$1.56M in the U.S. *
$1.6M
![Page 25: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/25.jpg)
A single, threat-centric control plane across your infrastructure
Branch Routers EndpointDatacenterNetwork edge GatewaysEmail
Malware
AnalysisAMP CloudThreat
Intel
![Page 26: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/26.jpg)
Helping you detect and mitigate threats that have evaded your defenses
Make the unknown,
known
Accelerate security
response
See once, block
everywhere
![Page 27: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/27.jpg)
Detect and mitigate threats in your environment faster
Make the
unknown,
known
Accelerate
security
response
See once,
block
everywhere
OriginThreat
Contained
IoC
identified
With AMP, trace back threat activity and remediate
incidents quickly
In most networks, there’s no way to see threat
progression or origin
Threat
Initial device compromised
Launched
malicious file
downloads
Sent information
from internal
server
No threat symptoms
displayed
Compromised
Customer data
?
?
AMP continuously
records all activity
![Page 28: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/28.jpg)
Supercharge your existing security infrastructure
Talos API
integration
SandboxingAMP Cloud
Protect, detect, and
respond across your
environment
Automatically block
threats seen outside
your network
APIs Augment the
functionality of Cisco
and 3rd party products
Make the
unknown,
known
Accelerate
security
response
See once,
block
everywhere
ESA ISR
Endpoint
3rd party
products
NGIPS WSANGFW
AMP
AMP makes everything in your network better
![Page 29: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/29.jpg)
Empower your team to act faster and decrease the impact of an incident
Understand which alerts
need further investigation
with precision
Eliminate time-consuming
and error-prone tasks
Automate intelligence-
driven security responses
Make the
unknown,
known
Accelerate
security
response
See once,
block
everywhere
![Page 30: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/30.jpg)
With AMP, you get both across your entire environment
ISR EndpointNGIPSNGFW WSA / SIGCES / ESA
Threat Grid
AMP CloudTalos
![Page 31: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/31.jpg)
Advanced Malware ProtectionSolution Overview
![Page 32: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/32.jpg)
Software as a service (subscription)
Cloud managed
Lightweight connector
Protects Windows, Mac, Linux, Android, and iOS
What Is Cisco AMP for Endpoints?
![Page 33: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/33.jpg)
Prevent Detect RespondPrevent attacks and
block malware in real time
Continuously monitor for threats on your
endpoints to decrease time to detection
Accelerate investigations and
remediate faster and more effectively
AMP for Endpoints
![Page 34: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/34.jpg)
Antivirus
Custom Detections
Malicious Activity Protection
AMP Cloud
System Process Protection
Exploit Prevention
POST INFECTION
Plan APrevention framework
TIME TO DETECTION
ON DISKIN MEMORY
Prevent
![Page 35: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/35.jpg)
Antivirus
Custom Detections
Malicious Activity Protection
AMP Cloud
System Process Protection
Exploit Prevention
Prevent
Plan APrevention framework
POST INFECTION
TIME TO DETECTION
ON DISKIN MEMORY
![Page 36: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/36.jpg)
Device Flow Correlation
Cognitive Threat Analytics
Antivirus
Custom Detections
Malicious Activity Protection
AMP Cloud
System Process Protection
Exploit Prevention
Detection framework
Plan B
POST INFECTION
TIME TO DETECTION
ON DISKIN MEMORY
Detect
![Page 37: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/37.jpg)
Exploit Prevention
In Memory
• Make the memory
unpredictable by changing the
memory structure
• Make the app aware of
legitimate memory structure
• Any code accessing the old
memory structure is malware!Inside the Memory Space
Decoy System Resources
New System ResourcesTrusted Code
TrapMalicious Code
Injection
![Page 38: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/38.jpg)
System Process Protection
In Memory
• Protects system processes
from being compromised
through memory injection
attacks by other processesNetlogon
Active
Directory
LSA
server
SAM
server
Lsass
Msv1_0.dll
Kerberos.dll
Winlogon
LSA policy
SAM
Active Directory
![Page 39: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/39.jpg)
AMP Cloud
On Disk
1-to-1 signatures Ethos Spero
Capability
Feature
Intel
Fuzzy fingerprintsZero-day detections without
file uploadsUnique file matching
Convict multiple polymorphic
variants
Machine learning based on
features extracted from file
header
Fast protection across all
products
Large-scale data mining and
extensive automation
Model trained with in-field
and Talos data
Fed by Threat Grid
convictions, Talos engines
![Page 40: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/40.jpg)
Malicious Activity Protection
On Disk
• Detects abnormal behavior of a
running program, initially focused
on ransomware
• Uses rules that monitor processes
reading, writing and renaming or
deleting files within a short span of
time
![Page 41: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/41.jpg)
Custom Detections
On Disk
• Simple (hash-based)
- Quick and easy way to convict
unwanted files and initiate Cloud Recall
- Subject to cached dispositions and
Global Whitelist
• Advanced
- ClamAV signature language
![Page 42: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/42.jpg)
Antivirus Engine
On Disk
• Tetra - offline AV engine for Windows
• ClamAV – offline AV engine for MacOS, Linux
• AMP Update Server available to distribute definition updates on LAN
![Page 43: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/43.jpg)
Cognitive Threat Analytics
Post Infection
• Data statistics
• Anomaly detection (probabilistic and
time series)
• Classification (pictured at right)
• Incidents and campaigns
![Page 44: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/44.jpg)
Device Flow Correlation
Post Infection
• Kernel-level view into network traffic, correlated with initiating process
• Custom IP address detections: IP blacklists and IP whitelists
• Dropper detection and removal in unknown files
• Powered by Cisco Security Intelligence feed
![Page 45: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/45.jpg)
Cloud Indicators of Compromise
Post Infection
• Track behaviors across multiple processes on a single host
• Automate compromise analysis and determination
• Prioritize list of compromised devices
![Page 46: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/46.jpg)
Prevent Detect RespondPrevent attacks and
block malware in real time
Continuously monitor for threats on your
endpoints to decrease time to detection
Accelerate investigations and
remediate faster and more effectively
AMP for Endpoints
![Page 47: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/47.jpg)
Continuous Analysis and Retrospective SecurityMonitor, record, and analyze all file activity, regardless of disposition
RECORDING
Identify a
threat’s
point of origin
Track it’s rate of
progression and
how it spread
See what it is
doing
See where it's been
Surgically target
and remediate
Detect
![Page 48: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/48.jpg)
AMP Cloud
NGIPS NGFW
Network AppliancesEndpoints Content Appliances
WWW
WSA ESA
Global File Trajectory
Whitelists Blacklists
Global Outbreak Control
AMP Unity
![Page 49: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/49.jpg)
![Page 50: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/50.jpg)
Threat GridSolution Overview
![Page 51: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/51.jpg)
Static and Dynamic Analysis
Static Analysis
• File on disc
- Header details
- AV engines
• What it is/contains
Dynamic Analysis
• Execution/Detonation
- Network Connections
- File/System changes
- Function/Library calls
• What it does
![Page 52: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/52.jpg)
AMP and Threat Grid Positioning
![Page 53: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/53.jpg)
Land and Expand
Non-security-focused buyersAMP for
Endpoints
Umbrella
Meraki MX
Advanced File Analysis
![Page 54: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/54.jpg)
Land and Expand
Security-focused buyersEmail with
AMP
Threat Grid
AMP for Endpoints
Umbrella with AMP
![Page 55: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/55.jpg)
“Positioning AMP for Endpoints
Answer:
*But, are we asking the right question?
Can AMP replace my antivirus?
”YES*
Legacy AV
• Disk encryption
• DLP
• Free toaster oven
• ???
AMP
• Protection
• Detection
• Response
An
tiviru
s
![Page 56: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/56.jpg)
Positioning Threat Grid
• Static and dynamic malware
analysis powered by Threat Grid
• Discover potential new threats and
indicators of compromise
Extensive reporting: pivot and drill
down on data elements
Adjust sample run time and interact
with malware samples in Glovebox
Single organization-wide view of all
sample submissions
Open API to automate sample
uploads from other security tools
Threat Grid Cloud / Appliance
• Static and dynamic malware
analysis powered by Threat Grid
• Discover potential new threats and
indicators of compromise
• Basic reporting: Behavioral
Indicators, Network Activity, etc
• Limited to 5-minute run time on
preset VM images; no interaction
• Only see reports from samples
submitted from each technology
AMP Enabled Devices
![Page 57: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/57.jpg)
Sizing Threat Grid
Organization Account
(200+p+s)/day
API Integrations
AMP-enabled devices Threat Grid Cloud
++200 included Threat Grid submissions shared
across any number of AMP integrated devices
Organization-wide
Advanced File Analysis
Licenses
"behaviors": [{"name":
"excessive-suspicious-activity",
"threat": 90},
NGFW Email
Web Umbrella
Endpoint
AFA Licenses
![Page 58: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/58.jpg)
“Positioning Threat Grid
• Technical analyst / incident responder
• Looking to boost the capabilities of their existing security architecture
• Mature security team –OR– is resource constrained and needs low OpEx solution to empower junior analysts with automated submissions
• Has AMP-integrated products (Firepower, AMP for Endpoints, ESA/CES, WSA, Meraki, Umbrella)
Who is a good prospect for Threat Grid?
”
![Page 59: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/59.jpg)
AMP and Threat GridDesign
![Page 60: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/60.jpg)
Cloud Architecture
Threat Intelligence Cloud
File Analysis Results
Threat Intel ThreatIntel
File Dispositions,IOCs, ML
Behavioral Indicators
Talos
AMP Public / Private Cloud File Reputation
Threat Grid Cloud / Appliance(Sandboxing)
![Page 61: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/61.jpg)
Service
Function
Powered by
Blocking of known
malicious files
Behavior analysis of
unknown files
Retrospective alerting
upon disposition change
File
ReputationFile
Analysis
File
Retrospection
AMP
CloudThreat Grid
Cloud
AMP
Cloud
or
Solution Overview
![Page 62: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/62.jpg)
Service
Meraki MX
ESA / CES
WSA
Umbrella
Firepower
File Reputation File Analysis File Retrospection
AMP and Threat Grid Integrations
Endpoint
![Page 63: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/63.jpg)
Deployment Modes
![Page 64: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/64.jpg)
Deployment
![Page 65: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/65.jpg)
File AnalysisFile Reputation & RetrospectionCapability
Deployment
Options
AMP Private Cloud
AMP
Cloud
AMP Public Cloud
Threat Grid Appliance
Threat Grid
Cloud
Threat Grid Cloud
AMP and Threat Grid Deployment Options
![Page 66: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/66.jpg)
Organization’s Perimeter
AMP Connector
(Endpoint)
AMPCloud
Threat GridCloud
File Reputation Check(includes hash, ML features, IP
lookup)
File RetrospectionFile Fetch
(suspicious file)
Analysis
Request(includes the file)
Malicious File Hash is automatically marked in AMP Database
Deployments (Endpoint, Public)
File Analysis
File Reputation
![Page 67: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/67.jpg)
Organization’s Perimeter
AMP Connector
(Firepower)
Analysis Report(indicators, threat score)
Analysis Request(includes the file)
FMCFile Reputation Check(includes hash, ML features)
Deployments (Network, Public)
File Analysis
File Reputation
AMPCloud
Threat GridCloud
Malicious File Hash is automatically marked in AMP Database
File Reputation Check(includes hash, ML features)
File Retrospection
![Page 68: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/68.jpg)
AMP Visability
![Page 69: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/69.jpg)
Who
What
Where
When
How
”This hash has been
submitted for analysis
5 times in 30 days, was
delivered by email and
has been seen by AMP
for Endpoints 9 times”
Cisco Visibility
Threat Intelligence Orchestration
![Page 70: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/70.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Threat hunting
One click remediation
Intelligence correlation
Perform in-depth investigations
![Page 71: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/71.jpg)
Umbrella Partner Portal
![Page 72: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/72.jpg)
![Page 73: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/73.jpg)
![Page 74: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/74.jpg)
Security Portifolio
![Page 75: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/75.jpg)
Security Portifolio
![Page 76: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/76.jpg)
Security Portifolio
https://www.cisco.com/c/en/us/products/security/integrated-cybersecurity-portfolio-demo.html
https://www.youtube.com/watch?v=i6GNTwPpZLo&t=141s
1.Share threat Intelligence2.Share event information3.Share policy Information4.Share contextual awarenes
![Page 77: Endpoint Security - Netteam A/S€¦ · It all starts with DNS Umbrella Cisco.com 72.163.4.161 DNS = Domain Name System •First step in connecting to the internet •Precedes file](https://reader030.fdocuments.us/reader030/viewer/2022040204/5eab24058a273d7c800b4acb/html5/thumbnails/77.jpg)
Security Portifolio