Endpoint Security

Agenda

• AMP + Threat Grid• What is it• Deployment ( Demo ) • Portal

• Umbrella• What is it• Deployment• Portal ( Demo )

• AMP Visability

• Netteams partner portal ( Umbrella )

• Security Portifolio

Umbrella (What is it)

It all starts with DNS

Umbrella

Cisco.com 72.163.4.161

DNS = Domain Name System

• First step in connecting to the internet

• Precedes file execution and IP connection

• Used by all devices

• Port agnostic

Cisco Umbrella

Cloud security platform

Built into the foundation of the internet

Intelligence to see attacks before launched

Visibility and protection everywhere

Enterprise-wide deployment in minutes

Integrations to amplify existing investments

Malware

C2 Callbacks

Phishing

208.67.222.222

Built into foundation of the internet

Umbrella provides:

Connection for safe requests

Prevention for user and malware-

initiated connections

Proxy inspection for risky domains

Safe request

Blocked request

Prevents connections before and during the attack

Command and control callback

Malicious payload drop

Encryption keys

Updated instructions

Web and email-based infection

Malvertising / exploit kit

Phishing / web link

Watering hole compromise

Stop data exfiltration and ransomware encryption

Where does Umbrella fit?Malware

C2 Callbacks

Phishing

HQ

Sandbox

NGFW

Proxy

Netflow

AV AV

BRANCH

Router/UTM

AV AV

ROAMING

AV

First line

Benefits

Block malware before

it hits the enterprise

Contains malware

if already inside

Internet access is faster

Provision globally in minutes

Your security challenges

Malware and

ransomware

Gaps in visibility

and coverage

Cloud apps

and shadow IT

Difficult to

manage security

Umbrella (Deployment)

Deployment ( Client )

Umbrella (Portal Demo)

AMP + Threat Grid (What is it)

You’ve made significant investments in critical security layers

Next-generation

firewallsNetwork

access control

Intrusion and

prevention systems

Gateway

security

Endpoint

security

But it’s impossible to block 100% of threats,100% of the time

Single points of inspection have their limitations

Current defense in-

depth approach

is built on binary

detection

Known threats are blocked

Good files make

it through

NGIPS EndpointWSAESA ISRNGFW

Unknown threats are

passed to the next system

?

?

?

?

?

?

?

?

When an incident turns into a breach, the cost to businesses is significant

*Source: Ponemon Cost of Security Breach Report 2017

**Source: Cisco Annual Security Report 2017

23% of organizations lost

business opportunities

as the result of a breach **

23%

The average per capita

cost of data breach was

$225 in the U.S. *

$225

The average cost of post-

breach remediation efforts is

$1.56M in the U.S. *

$1.6M

A single, threat-centric control plane across your infrastructure

Branch Routers EndpointDatacenterNetwork edge GatewaysEmail

Malware

AnalysisAMP CloudThreat

Intel

Helping you detect and mitigate threats that have evaded your defenses

Make the unknown,

known

Accelerate security

response

See once, block

everywhere

Detect and mitigate threats in your environment faster

Make the

unknown,

known

Accelerate

security

response

See once,

block

everywhere

OriginThreat

Contained

IoC

identified

With AMP, trace back threat activity and remediate

incidents quickly

In most networks, there’s no way to see threat

progression or origin

Threat

Initial device compromised

Launched

malicious file

downloads

Sent information

from internal

server

No threat symptoms

displayed

Compromised

Customer data

?

?

AMP continuously

records all activity

Supercharge your existing security infrastructure

Talos API

integration

SandboxingAMP Cloud

Protect, detect, and

respond across your

environment

Automatically block

threats seen outside

your network

APIs Augment the

functionality of Cisco

and 3rd party products

Make the

unknown,

known

Accelerate

security

response

See once,

block

everywhere

ESA ISR

Endpoint

3rd party

products

NGIPS WSANGFW

AMP

AMP makes everything in your network better

Empower your team to act faster and decrease the impact of an incident

Understand which alerts

need further investigation

with precision

Eliminate time-consuming

and error-prone tasks

Automate intelligence-

driven security responses

Make the

unknown,

known

Accelerate

security

response

See once,

block

everywhere

With AMP, you get both across your entire environment

ISR EndpointNGIPSNGFW WSA / SIGCES / ESA

Threat Grid

AMP CloudTalos

Advanced Malware ProtectionSolution Overview

Software as a service (subscription)

Cloud managed

Lightweight connector

Protects Windows, Mac, Linux, Android, and iOS

What Is Cisco AMP for Endpoints?

Prevent Detect RespondPrevent attacks and

block malware in real time

Continuously monitor for threats on your

endpoints to decrease time to detection

Accelerate investigations and

remediate faster and more effectively

AMP for Endpoints

Antivirus

Custom Detections

Malicious Activity Protection

AMP Cloud

System Process Protection

Exploit Prevention

POST INFECTION

Plan APrevention framework

TIME TO DETECTION

ON DISKIN MEMORY

Prevent

Antivirus

Custom Detections

Malicious Activity Protection

AMP Cloud

System Process Protection

Exploit Prevention

Prevent

Plan APrevention framework

POST INFECTION

TIME TO DETECTION

ON DISKIN MEMORY

Device Flow Correlation

Cognitive Threat Analytics

Antivirus

Custom Detections

Malicious Activity Protection

AMP Cloud

System Process Protection

Exploit Prevention

Detection framework

Plan B

POST INFECTION

TIME TO DETECTION

ON DISKIN MEMORY

Detect

Exploit Prevention

In Memory

• Make the memory

unpredictable by changing the

memory structure

• Make the app aware of

legitimate memory structure

• Any code accessing the old

memory structure is malware!Inside the Memory Space

Decoy System Resources

New System ResourcesTrusted Code

TrapMalicious Code

Injection

System Process Protection

In Memory

• Protects system processes

from being compromised

through memory injection

attacks by other processesNetlogon

Active

Directory

LSA

server

SAM

server

Lsass

Msv1_0.dll

Kerberos.dll

Winlogon

LSA policy

SAM

Active Directory

AMP Cloud

On Disk

1-to-1 signatures Ethos Spero

Capability

Feature

Intel

Fuzzy fingerprintsZero-day detections without

file uploadsUnique file matching

Convict multiple polymorphic

variants

Machine learning based on

features extracted from file

header

Fast protection across all

products

Large-scale data mining and

extensive automation

Model trained with in-field

and Talos data

Fed by Threat Grid

convictions, Talos engines

Malicious Activity Protection

On Disk

• Detects abnormal behavior of a

running program, initially focused

on ransomware

• Uses rules that monitor processes

reading, writing and renaming or

deleting files within a short span of

time

Custom Detections

On Disk

• Simple (hash-based)

- Quick and easy way to convict

unwanted files and initiate Cloud Recall

- Subject to cached dispositions and

Global Whitelist

• Advanced

- ClamAV signature language

Antivirus Engine

On Disk

• Tetra - offline AV engine for Windows

• ClamAV – offline AV engine for MacOS, Linux

• AMP Update Server available to distribute definition updates on LAN

Cognitive Threat Analytics

Post Infection

• Data statistics

• Anomaly detection (probabilistic and

time series)

• Classification (pictured at right)

• Incidents and campaigns

Device Flow Correlation

Post Infection

• Kernel-level view into network traffic, correlated with initiating process

• Custom IP address detections: IP blacklists and IP whitelists

• Dropper detection and removal in unknown files

• Powered by Cisco Security Intelligence feed

Cloud Indicators of Compromise

Post Infection

• Track behaviors across multiple processes on a single host

• Automate compromise analysis and determination

• Prioritize list of compromised devices

Prevent Detect RespondPrevent attacks and

block malware in real time

Continuously monitor for threats on your

endpoints to decrease time to detection

Accelerate investigations and

remediate faster and more effectively

AMP for Endpoints

Continuous Analysis and Retrospective SecurityMonitor, record, and analyze all file activity, regardless of disposition

RECORDING

Identify a

threat’s

point of origin

Track it’s rate of

progression and

how it spread

See what it is

doing

See where it's been

Surgically target

and remediate

Detect

AMP Cloud

NGIPS NGFW

Network AppliancesEndpoints Content Appliances

WWW

WSA ESA

Global File Trajectory

Whitelists Blacklists

Global Outbreak Control

AMP Unity

Threat GridSolution Overview

Static and Dynamic Analysis

Static Analysis

• File on disc

- Header details

- AV engines

• What it is/contains

Dynamic Analysis

• Execution/Detonation

- Network Connections

- File/System changes

- Function/Library calls

• What it does

AMP and Threat Grid Positioning

Land and Expand

Non-security-focused buyersAMP for

Endpoints

Umbrella

Meraki MX

Advanced File Analysis

Land and Expand

Security-focused buyersEmail with

AMP

Threat Grid

AMP for Endpoints

Umbrella with AMP

“Positioning AMP for Endpoints

Answer:

*But, are we asking the right question?

Can AMP replace my antivirus?

”YES*

Legacy AV

• Disk encryption

• DLP

• Free toaster oven

• ???

AMP

• Protection

• Detection

• Response

An

tiviru

s

Positioning Threat Grid

• Static and dynamic malware

analysis powered by Threat Grid

• Discover potential new threats and

indicators of compromise

Extensive reporting: pivot and drill

down on data elements

Adjust sample run time and interact

with malware samples in Glovebox

Single organization-wide view of all

sample submissions

Open API to automate sample

uploads from other security tools

Threat Grid Cloud / Appliance

• Static and dynamic malware

analysis powered by Threat Grid

• Discover potential new threats and

indicators of compromise

• Basic reporting: Behavioral

Indicators, Network Activity, etc

• Limited to 5-minute run time on

preset VM images; no interaction

• Only see reports from samples

submitted from each technology

AMP Enabled Devices

Sizing Threat Grid

Organization Account

(200+p+s)/day

API Integrations

AMP-enabled devices Threat Grid Cloud

++200 included Threat Grid submissions shared

across any number of AMP integrated devices

Organization-wide

Advanced File Analysis

Licenses

"behaviors": [{"name":

"excessive-suspicious-activity",

"threat": 90},

NGFW Email

Web Umbrella

Endpoint

AFA Licenses

“Positioning Threat Grid

• Technical analyst / incident responder

• Looking to boost the capabilities of their existing security architecture

• Mature security team –OR– is resource constrained and needs low OpEx solution to empower junior analysts with automated submissions

• Has AMP-integrated products (Firepower, AMP for Endpoints, ESA/CES, WSA, Meraki, Umbrella)

Who is a good prospect for Threat Grid?

”

AMP and Threat GridDesign

Cloud Architecture

Threat Intelligence Cloud

File Analysis Results

Threat Intel ThreatIntel

File Dispositions,IOCs, ML

Behavioral Indicators

Talos

AMP Public / Private Cloud File Reputation

Threat Grid Cloud / Appliance(Sandboxing)

Service

Function

Powered by

Blocking of known

malicious files

Behavior analysis of

unknown files

Retrospective alerting

upon disposition change

File

ReputationFile

Analysis

File

Retrospection

AMP

CloudThreat Grid

Cloud

AMP

Cloud

or

Solution Overview

Service

Meraki MX

ESA / CES

WSA

Umbrella

Firepower

File Reputation File Analysis File Retrospection

AMP and Threat Grid Integrations

Endpoint

Deployment Modes

Deployment

File AnalysisFile Reputation & RetrospectionCapability

Deployment

Options

AMP Private Cloud

AMP

Cloud

AMP Public Cloud

Threat Grid Appliance

Threat Grid

Cloud

Threat Grid Cloud

AMP and Threat Grid Deployment Options

Organization’s Perimeter

AMP Connector

(Endpoint)

AMPCloud

Threat GridCloud

File Reputation Check(includes hash, ML features, IP

lookup)

File RetrospectionFile Fetch

(suspicious file)

Analysis

Request(includes the file)

Malicious File Hash is automatically marked in AMP Database

Deployments (Endpoint, Public)

File Analysis

File Reputation

Organization’s Perimeter

AMP Connector

(Firepower)

Analysis Report(indicators, threat score)

Analysis Request(includes the file)

FMCFile Reputation Check(includes hash, ML features)

Deployments (Network, Public)

File Analysis

File Reputation

AMPCloud

Threat GridCloud

Malicious File Hash is automatically marked in AMP Database

File Reputation Check(includes hash, ML features)

File Retrospection

AMP Visability

Who

What

Where

When

How

”This hash has been

submitted for analysis

5 times in 30 days, was

delivered by email and

has been seen by AMP

for Endpoints 9 times”

Cisco Visibility

Threat Intelligence Orchestration

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential

Threat hunting

One click remediation

Intelligence correlation

Perform in-depth investigations

Umbrella Partner Portal

Security Portifolio

Security Portifolio

Security Portifolio

https://www.cisco.com/c/en/us/products/security/integrated-cybersecurity-portfolio-demo.html

https://www.youtube.com/watch?v=i6GNTwPpZLo&t=141s

1.Share threat Intelligence2.Share event information3.Share policy Information4.Share contextual awarenes

Security Portifolio