AMP for Endpoints, Cloud Email Security, Cisco Threat Response · 2019-10-10 · AMP for Endpoints, Cloud Email Security, Cisco Threat Response 8/10 –2019 Mikael Grotrian ... Leading

AMP for Endpoints, Cloud Email Security, Cisco Threat Response

8/10 – 2019

Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified

Consulting Systems Engineer, Cyber Security, Denmark

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

An integrated portfolio creates value for customers

Open APIs · Developer Environment · Services

Best of Breed Portfolio

EndpointNetwork Cloud

Leading Threat Intelligence

Management · ResponseDeploy Policy

InvestigateDetect Remediate

3rd Parties160+

security tech

partners


Share intelligence across network, web, email, and endpoints to see once, block everywhere.

Talos Threat GridAMP Cloud

See once, block everywhere

NGIPS CES/ESA WSA/SIGISRNGFW Endpoints

AMP for Endpoints


Why choose next gen endpoint security?

Traditional antivirus (AV) is just that; traditional

Next gen endpoint security is simply better, faster

Threats they miss

57%

Attacks they block

43%

Ineffective at targeted attacks & unknown threats

Cumbersome & costly to deploy and maintain

Siloed and disconnected w/ other security tools

Better protection against known & unknown threats

Cloud form factor = faster time to protection

Easier to integrate w/ broader security architecture

99%

Up to 99% efficacy rating Higher FTE cost savings

$


The daily struggle to react to alerts and troubleshoot potential or real incidents

Security tool selection vs. Security delivery

Security Delivery

Tool Deployment

Tool Selection


So what’s happens when one is missed?

Initial Disposition = Clean Actual Disposition = Infected Too Late!

Blind to scope of compromise

Prevention tools are insufficient and can never catch 100%

AV Analysis Stops• Sleep Techniques• Unknown Protocols• Encryption• Polymorphism

Preventing malware attacks is Ideal, but you can never prevent 100% of attacks.

IPS

Traditional Point-in-Time Detection

Initial Inspection


Prevent


Prevent threats at the point of entryContinuous Protection

One-to-OneSignature

Fuzzy Finger-printing

Machine Learning

Device Flow Correlation

Block files using SHA256 hashes or AV signatures and compare them against the AMP Cloud Database

Use trained ML models to identify malicious files based on static attributes

Block malicious IP communications to and from the endpoint

Block families of malware that rely of polymorphism to bypass detection


Prevent threats with behavioral detectionContinuous Protection

Exploit Prevention

System ProcessesProtection

Malicious ActivityProtection

Identify threats exploiting trusted processes in memory (file less malware)

Prevent ransomware before it encrypts your entire disk

Prevent system processes from being exploited through memory injection


Higher threat efficacy validated by third party testing

Validated by independent tests: AV Comparatives, Miercom, and NSS Labs

Powered by Talosthreat intelligence

Strong prevention – multiple engines and blocking tools

Malware Protection Test

Real WorldProtection Test

Protection Rate

False Alarms

99.8%

99.2%

0

0

https://www.av-comparatives.org/tests/business-security-test-2019-march-june/

https://miercom.com/pdf/reports/180821E.pdf

https://www.nsslabs.com/news/2019/3/5/nss-labs-announces-2019-advanced-endpoint-protection-group-test-resultsnbsp-at-the-rsa-conference-in-san-francisco


Detect


Close attack pathways, uncover stealthy malware, and reverse-analyze suspicious threats.

AMP4EP Detection Tools

Vulnerable surface detection

The vulnerabilities feature shows, across all endpoints, software known to be vulnerable to malicious attacks and recommends patching options

Low Prevalence Our low prevalence feature shows you applications on endpoints that are flying under the radar, and lets you take a closer look to see if there’s any malicious behavior happening.

Indications of Compromise

File, telemetry, and intrusion events are correlated and prioritized as potentially active breaches, helping security teams to identify malware incidents and connect them to coordinated attacks. Users can also create and track their own custom IoCs to catch targeted attacks specific to applications in their environment.


AMP4EP Detection Tools

Close attack pathways, uncover stealthy malware, and reverse-analyze suspicious threats.

API IntegrationsWith a bi-directional (read and write) API enabled on AMP for Endpoints, users can more easily integrate with third-party security tools and SIEMs, and access data and events in their AMP for Endpoints account without the need to log into the management console.

Integration with Cognitive Threat Analytics (CTA)

When AMP4EP is deployed alongside a compatible web proxy, like Cisco WSA, or Blue Coat ProxySG, CTA can be Integrated with AMP4EP to uncover file-less or memory-only malware as well as infections that live in a web browser only. CTA monitors web traffic in and out of endpoints to detect command and control and catch malware before it compromises the OS-level

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Proactive: no antecedent required

• Real time search across all endpoints for

• Registry keys• Users • Processes• Applications• And much more

• Seamless investigation and remediation with Cisco Threat Response

Orbital Advanced Search

Simplify threat huntingand investigation


Respond

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Isolate infected hosts from the rest of the network

• Contain the threat without losing forensics data

• Shrink remediation cost by limiting the scale of attack

• Fast endpoint reactivation once remediation is complete

Endpoint Isolation

Contain attack fast


AMP Everywhere – See More. Respond Faster.Get visibility and control across all attack vectors to defend against

today’s most advanced threats.

Supercharge your next-generation firewall by turning on AMP capabilities on the Cisco Firepower NGFW or the Cisco ASA with FirePOWER™ Services.

AMP for Firewalls

Get deep visibility into threat activity and block advanced malware with AMP deployed as a network-based solution running on AMP-bundled NGIPS

AMP for Networks

Combat and block network-based threats by deploying AMP capabilities on the Cisco® Integrated Services Router (ISR).

AMP for ISR

An on-premises appliance or cloud-based solution for static and dynamic malware analysis (sandboxing) and threat intelligence.

Threat Grid

Protect your endpoints! Get visibility into file and executable-level activity, and remediate advanced malware on devices running Windows, Mac OS, Linux, and Android.

AMP for Endpoints


AMP Everywhere – See More. Respond Faster.Get visibility and control across all attack vectors to defend against

today’s most advanced threats.

Add AMP to a Cisco Web Security Appliance (WSA) or Cisco Cloud Web Security (CWS) and get visibility and control to defend against advanced threats launched from the web.

AMP for Web

For high-privacy environments that restrict the use of the public cloud, use an on-premises, air-gapped private cloud deployment of AMP for Networks or AMP for Endpoints.

AMP for Private Cloud Virtual Appliance

Add AMP to Cisco Meraki® MX and take advantage of simplified threat protection with advanced capabilities, providing visibility into threats on your network across multiple sites.

AMP for Meraki MX

Add AMP to a Cisco Email Security Appliance (ESA) and get visibility and control to defend against advanced threats launched via email.

AMP for Email


• Automates & Orchestrates across security products

• Integrates with AMP, Umbrella, Threat Grid, …

• Accelerate response with AMP and Umbrella blocks

• Integrated casebook• Extensible to third parties (e.g.,

Virustotal)• Email security integration now in beta,

Firepower FMC coming soon• Browser plugin for cross-platform

support

Cisco Threat ResponseIntegrating security for faster defense


Cisco Zero TrustA zero-trust approach to securing access across your applications and environment, from any user, device and location.

AMP helps you:• Prevent advanced threats at

the point of access and continuously monitor endpoint files

• Contain infected endpoints and revoke network access

• Integrates with other zero trust technologies such as Cisco DUO multi-factor authentication, Cisco AnyConnect VPN, and Cisco Umbrella secure internet gateway

Support your zero trust architectureWorkforce

Ensure only the right users and secure devices can access

applications

WorkloadSecure all connections

within your apps, across multi-cloud

WorkplaceSecure all user and device connections

across your network, including IoT

Enforce Policy-Based Controls

Email Security

Business Email Compromise (BEC)

Phishing

$5.3 Billion in losses2 $9.1 Billion in 20173


54% of legitimate domains used in phishing campaigns4

Domain Compromise

Attackers Use Multiple Ways to Get In

Malware

Ransomware detections up 90% in 20171

https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf

Business Email Compromise, E-mail Account Compromise

https://www.malwarebytes.com/pdf/white-papers/CTNT-Q4-17.pdf https://www.rsa.com/content/dam/en/in

fographic/2017-global-fraud-forecast.pdf

https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf

https://www.ic3.gov/media/2017/170504.aspx

https://www.malwarebytes.com/pdf/white-papers/CTNT-Q4-17.pdf

https://www.rsa.com/content/dam/en/infographic/2017-global-fraud-forecast.pdf

Protect against business email compromise (BEC)

Sender: Block Fraudulent Emails


Protect against advanced phishing and BEC

Authenticate senders using certain protocols

Protect your organization’s executives

Advanced Phishing ProtectionDKIM, SPF and DMARC Forged Email Detection

Sender: Remove BEC Emails already in inboxes

Payroll Email

HR Email

Email to Executive(Potentially malicious)

Employee Inbox

Payroll Email HR Email

Malicious Email Removed

Remediation

Email to Executive(Potentially malicious)


Attachments: Block Known and Emerging Malware in Files


Block 100% of files with known viruses or malware

Protect against emerging malware with real-time intelligence updates

Anti-Virus Outbreak Filters


Attachments: Combat Targeted Malware with A Powerful Ecosystem

Find out if a file contains a threat

Analyze new files in a secure environment

Get alerted when malware emerges in your network

Automate removal from O365 inboxes

Correlate threats across the endpoint, network and cloud email to block threats faster and more efficiently with AMP Unity

Advanced Malware Protection (AMP)

URLs: Block Malicious Links Used in Phishing

Efficient URL inspection with an industry-leading web security portfolio

Analyze threat reputation and categorization to detect malicious links

in emails

Get real-time analysis of questionable links to protect against newly infested

sites


Content Filters Outbreak Filters

Analyze the context of the entire message

Block Unwanted Emails with Accuracy


Drop over 80% of bad emails

Block over 99% of spam with accuracy

Reduce admin burden with unwanted email

Customize what enters your network

Sender Profiling Anti-Spam Graymail Detection Content Filters

Inbound and Outbound Protection

Inbound

Cisco Email Security with Advanced Malware

Protection andThreat Grid


Outbound

Cisco Advanced Phishing

Protection

Cisco Domain Protection

Cisco Email Security with Data Loss Prevention

and Encryption

Protect Your Data and Brand

Data loss prevention

Use pre-defined policies to stop data loss via outgoing email

Encryption

Secure sensitive data in transit easily to achieve compliance

Domain protection

Prevent attackers from using your domain in phishing campaigns


Securing outbound email

Protect Your Customers and Partners

Identify 3rd party email senders

100%

100%

SPF Pass

DKIM Pass

100%

0.4%

SPF Pass

DKIM Pass

Volume: 32,078 Volume: 4,047


FailPass

6 June 18 June12 June

300

0

150

Authenticate 3rd party email senders

Documents

AMP for Endpoints, Cloud Email Security, Cisco Threat Response · 2019-10-10 · AMP for Endpoints, Cloud Email Security, Cisco Threat Response 8/10 –2019 Mikael Grotrian ... Leading