Cisco Advanced Malware Protection Ross Shehov Security Virtual Systems Engineer March 2016
The Reality Organizations Are Under Attack and Malware Is Getting in 95% of large companies targeted by malicious traffic 100% Cybercrime is lucrative, barrier to entry is low Hackers are smarter and have the resources to compromise your organization Malware is more sophisticated Organizations face tens of thousands of new malware samples per hour of organizations interacted with websites hosting malware Phishing, Low Sophistication Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape 1990 1995 2000 2005 2010 2015 2020 Viruses 1990-2000 Worms 2000-2005 Spyware and Rootkits 2005-Today APTs Cyberware Today +
Malware Will Get Into Your Environment 95% of large companies targeted by malicious traffic $5.9M Average cost of a breach in the United States 60% of data stolen in hours 65% of organizations say attacks evaded existing preventative security tools.
Once Inside, Organizations Struggle to Deal with It 33% of organizations take 2+ years to discover breach 54% of breaches remain undiscovered for months 55% of organizations unable to determine cause of a breach 45 days Average time to resolve a cyber-attack
Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No Visibility Into Threats Once They Get in Event Horizon Antivirus Analysis Stops Not 100% Sleep Techniques Unknown Protocols Encryption Polymorphism Blind to scope of compromise Legacy IPS Initial Disposition = Clean Actual Disposition = Bad Too Late!!
Breach Prevention Detection Containment Remediation Continuously + Rapidly
Cisco AMP Provides Threat Intelligence, Point-in-Time Detection, and Continuous Analysis of Files to Defeat Advanced Threats Attack Continuum Before During After Before Discover During Detect After Scope Enforce Harden Block Defend Contain Remediate Threat intelligence and analytics Point-in-Time detection Retrospective security and continuous analysis Email and Web Data Center/Servers Network Endpoints Mobile
AMP Provides the Visibility and Control to Effectively Prevent, Block, Detect, and Remediate Advanced Threats Before an attack During an attack After an attack 1. Visibility See Detect Record, Analyze, Detect 2. Control Prevent Block and Contain Remediate with Threat Intelligence and Analytics with Point-in-Time Protection with Continuous Analysis and Retrospective Security
Threat Intelligence and Advanced Analytics AMP Strengthens Defenses Using Threat Intelligence and Malware Analysis Learn about threats faster Expertise Team of threat analysts/researches working to provide you with the latest threat intelligence 24/7 Knowledge base Extensive and growing back-end research on the latest threats and security trends Insight Analytics and behavioral indicators for your system written in plain English 35% worldwide email traffic 13 billion web requests per day 100 TB of data received daily 1.1 million incoming malware samples per day
Threat Intelligence and Advanced Analytics The Numbers Cisco Collective Security Intelligence 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 110 101000 0110 00 0111000 111010011 Cisco Collective 101 1100001 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1100001110001110 1001 1101 1110011 0110011 10100 Security Intelligence Cloud WWW Email Endpoints 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints Experienced team of engineers, technicians, and researchers 35% worldwide email traffic Web 13 billion web requests 24x7x365 operations 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP Community Private/Public Threat Feeds Networks IPS Talos Security Intelligence AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Devices Automatic updates in real time AMP Advanced Malware Protection
Point-in-Time Detection AMP Delivers the First Line of Defense, Blocking Known and Emerging Threats with Point-in-Time Defenses Automatically stop as many threats as possible, known and unknown One-to-one signature Offer better accuracy and dispositioning Fuzzy finger-printing Machine learning Block known and emerging threats Advanced analytics Static and dynamic analysis (sandboxing) Protect your business with no lag
But Point-in-Time Detection Alone Will Never Be 100% Effective
Continuous Analysis and Retrospective Security Only AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition Across all control points WWW Email Web Network Endpoints Mobile Take advantage of key capabilities Identify a threat s point of origin Track it s rate of progression and how it spread See where it's been See what it is doing Surgically target and remediate To answer the questions that matter
The AMP Everywhere Architecture AMP Protection Across the Extended Network for an Integrated Threat Defense AMP Threat Intelligence Cloud Remote Endpoints AMP for Endpoints AMP on Firepower NGIPS Appliance (AMP for Networks) Threat Grid Malware Analysis + Threat Intelligence Engine AMP Private Cloud Virtual Appliance AMP on Cisco ASA Firewall with Firepower Services AMP for Endpoints AMP on Web and Email Security Appliances AMP on ISR with Firepower Services Windows OS Android Mobile Virtual MAC OS AMP for Endpoints can be launched from AnyConnect CentOS, Red Hat Linux for servers and datacenters CWS/CTA AMP on Cloud Web Security and Hosted Email
Deployment Options in Detail Private Deployment options AMP on ESA, WSA, ASA, CWS AMP for Networks (AMP on FirePOWER Network Appliance) AMP for Endpoints AMP Private Cloud Virtual Appliance Method License with ESA, WSA, CWS, or ASA customers Snap into your network Install lightweight connector on endpoints Deploy on-premises Virtual Appliance Ideal for New or existing Cisco CWS, Email/Web Security, ASA customers FirePOWER NGIPS customers Windows, Mac, Android, Linux, virtual machines; can also deploy from AnyConnect client High-Privacy Environments Details ESA/WSA: Prime visibility into email/web CWS: web and advanced malware protection in a clouddelivered service AMP capabilities on ASA with FirePOWER Services Wide visibility inside network Broad selection of featuresbefore, during, and after an attack Comprehensive threat protection and response Granular visibility and control Widest selection of AMP features Private Cloud option for those with high-privacy requirements Can deploy full air-gapped mode or cloud proxy mode For endpoints and networks Threat Grid Hybrid or on-premises integration On-premises integration in 1H 2016 Integrated into file analysis feature Integration coming in 1H 2016
If Something Gets in, Retrospective Security Helps You Find Answers to the Most Pressing Security Questions What happened? Where did the malware come from? Where has the malware been? What is it doing? How do we stop it? See AMP in Action! : https://www.youtube.com/watch?v=srqlhdxap5g