Cisco Connect Ottawa 2018 sixty to zero

AMP CANADA V2
Automating your Security with Cisco
Canada • 2 October 2018
Zero to Sixty
Sean Earhard
Advanced Threat Solution Specialist
647-988-4945 / seearhar@cisco.com
Hussain Mohammed
Advanced Threat Solutions CSE
514-623-3779 / mohhuss3@cisco.com

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Actionable info on how organizations of any size are automating their
most common and challenging security tasks
Agenda

Must automation=work?

( )p i tes
effective security protection information time
x= +
what is required
for security to be
automated?
what happens
when security is
99% effective?

Mimic
verb
1. to imitate or copy in action

8 automation examples

There are many broad models

Model: F3EAD

Mimic:
Hunt for threats inside the environment
• Find: Identify dormant or active files inside the environment that
are threats
• Fix: Verification of the targets
• Finish: Take action against the attack
• Exploit: Collect the information generated from the finish phase
• Analyze: Develop the information collected by fusing it with
broader intelligence to gain a deeper understanding of the threat
and actor.
• Disseminate: Publish the results to feed back into the initial (Find)
stage

React to alerts or user tickets, identify target machine(s), remove machines from service,
verify and/or or reimage, add blocking to consoles, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat,
repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat, repeat…

Rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and more rules and more rules and
more rules and more rules and more rules and more rules and…

Solution:
Cisco AMP
Continuous Analysis and
Retrospective Detection
Patented technology that—even after a file is initially inspected—continues to compare the
files inside your environment with the global threat landscape. By correlating your history
with the latest threat intelligence from Talos, hunts inside your environment to expose
and block threats.

THREATGRID
Cisco AMP
The largest
commercial threat
intelligence team in
the world
AMPThreat Intelligence Cloud
AMP
for Email
AMP
for Network
Firewall & IPS
AMP
for Web
AMP
for Meraki
MX
DNS Umbrella
AMP for
Endpoints
Continuous
Analysis and
Retrospective
Detection correlate
the latest threat
intel with the
history of your
environment

DEMOAMP FOR ENDPOINTS

• Overview:
https://www.cisco.com/c/en/us/products/security/amp-for-
endpoints/index.html
Know More: AMP for Endpoints

Mimic:
Hunt for Anomalous Events
• Find: Anomalies
• Fix: Verification of the targets
and actor.
stage

Time and research and patience and testing and verification and reducing the noise and
chasing false positives and more time and more research and more patience and more testing
and more verification and more reducing the noise and more chasing false positives and
more time and more research and more patience and more testing and more verification and
more reducing the noise and more chasing false positives and more time and more research
and more patience and more testing and more verification and more reducing the noise and
more chasing false positives and more time and more research and more patience and more
testing and more verification and more reducing the noise and more chasing false positives
and more time and more research and more patience and more testing and more verification
and more reducing the noise and more chasing false positives and more time and more
research and more patience and more testing and more verification and more reducing the
noise and more chasing false positives and more time and more research and more patience
and more testing and more verification and more reducing the noise and more chasing false
positives and more time and more research and more patience and more testing and more
verification and more reducing the noise and more chasing false positives and more time and
more research and more patience and more testing and more verification and more reducing
the noise and more chasing false positives and…

Solution:
Cognitive Intelligence
Analyzing billions of web requests daily, Cognitive Intelligence uses machine learning to
find malicious activity that has bypassed security controls, or entered through
unmonitored channels (including removable media or IoT devices), and is operating
inside an organization’s environment.

Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relations
CTA
Identify suspicious traffic with Anomaly
Detection
Normal
Unknown
Anomalous
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Anomaly Detection
10B+ requests are processed
daily by 40+ detectors
Each detector provides its
own anomaly score
Aggregated scores are used to
segregate the normal traffic

Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
detection
Trust
modeling
Dynamic
Malware
Analysis
File
Retrospection
Relations
CTA
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Trust Modeling
HTTP(S) requests with similar attributes are
clustered together
Over time, the clusters adjust their overall anomaly
score as new requests are added

Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
detection
Trust
modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Categorize requests with Event Classification
Keep as legitimate
Alert as malicious
Keep as suspicious
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Media website
Software update
Certificate status
check
Tunneling
Domain generated
algorithm
Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
1,000+ classifiers are applied to a small subset of
the anomalous and unknown clusters
Requests’ anomaly scores update based on their
classifications

Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
detection
Trust
modeling
Dynamic
Malware
Analysis
File
Retrospection
Relatio
CTA
Attribute anomalous requests to endpoints
and identify threats with Entity Modeling
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
THREAT
Entity Modeling
A threat is triggered when the significance
threshold is reached
New threats are triggered as more evidence
accumulates over time

Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Lay
detection
Trust
modeling
Dynamic
Malware
Analysis
File
Retrospection
Relations
CTA
Company B
Company C
Determine if a threat is part of a threat
campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
Threat
Type 1
Threat
Type 1
Threat
Type 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global
behavioral
similarity
Local
behavioral
similarity Local &
global
behavioral
similarity
Shared
threat
infrastructur
e
Entity Modeling

DEMOCOGNITIVE INTELLIGENCE

• Overview:
https://www.cisco.com/c/en/us/products/security/cognitive-threat-
analytics/index.html
Know More: Cognitive Intelligence

Mimic:
The Hunt for Exploit Attempts
• Find: Suspicious Events – Exploit attempts
• Fix: verification of the targets
and actor.
stage

Solution:
AMP for Endpoints Exploit
Prevention
Monitors process and disk activity for specific behaviors associated to key stages in
ransomware execution—beginning with file download and execution, through to file
encryption. When a process begins to exhibit those behaviors, malicious activity
protection terminates it.

Applications in a modern operating
system based on virtual memory all
access their own address space,
which the system then maps to
locations in physical memory
and/or in the VM file on disk.

Make the memory
unpredictable by
changing the memory
structure
Make the app aware
of legitimate memory
structure
Any code accessing
the old memory
structure is malware

Mimic:
Hunt for Ransomware Encryption
• Find: Ransomware encryption activity
and actor.
stage

Solution:
AMP for Endpoints:
Malicious Activity Protection
(MAP)
Analyzing billions of web requests daily, Cognitive Intelligence uses machine learning to
find malicious activity that has bypassed security controls, or entered through
unmonitored channels (including removable media or IoT devices), and is operating
inside an organization’s environment.

Endpoint
Network
Dropper
C2 Callbacks
Payloads
Command and
Control
Dropper
Executes
Email
Opened
File
Encryption
Delete
Shadow
Copies
Payload
Download
Succeeds
Key
Exchange
Email
Payload Download
Attempts
18
26 False Negatives
Blocks
Dropper
Arrives
User calls the
helpdesk to ask
why IT is
encrypting the
machine

DEMOEXPLOIT PREVENTION AND
MALICIOUS ACTIVITY
PREVENTION

• Overview:
https://www.cisco.com/c/en/us/products/security/cognitive-threat-
analytics/index.html
• Overview:
https://blogs.cisco.com/security/secure-your-endpoints-against-
ransomware-introducing-malicious-activity-protection
Know More: AMP for Endpoints
Exploit Prevention
Malicious Activity Protection

Mimic:
Hunt for Threats in Encrypted Traffic
• Find: Malware inside encrypted traffic
and actor.
stage

“You can’t see
what?”

Solution:
Encrypted Traffic Analytics
With intraflow telemetry captured on Catalyst 9000 switches and ISR 4000 and ASR
1000 routers, Cisco hunts for malware in encrypted traffic.

• Overview:
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-
wp-cte-en.pdf
Know More: Encrypted Traffic Analytics (ETA)

Mimic:
Dynamic Threat Containment
• Find: Evidence of a compromise
and actor.
stage

Solution:
Rapid Threat Containment
Use the open integration of Cisco security products, technologies from Cisco partners,
and the extensive network control of the Cisco Identity Services Engine (ISE) to
dynamically respond to compromises.

Rapid Threat Containment in Action
Get Answers Faster
Use Cisco® Platform Exchange Grid
(pxGrid) partner technologies to find
threats faster
Stop Attacks Faster
Use the network to contain attacks
manually or automatically
Protect Critical Data Faster
Dynamically restrict access
permissions or remove a device as
its threat score worsens
SIEM
Firepower
Firewall
Custom
Detection
Stealthwatch
Network
Switch Router DC FW DC SwitchWireless
Network as an Enforcer ThreatSecurity Intelligence
Automatic or Initiated by IT Admin
~5 Seconds
ISE
pxGrid

I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
 Access privileges dynamically change with threat or vulnerability score
 Ratings based on open, structured expressions
STIX: Structured Threat Information Expression
AMP
CVSS: Common Vulnerability Scoring System
Access Policy
Cisco ISE
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Insignificant
Worker has open access to other
workers, finance, email, and internet1

I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Distracting
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
Malware on the device is identified by
AMP for Endpoints2

I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
Painful
AMP
Access Policy
Cisco ISE
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Threat activity escalates (ping
sweeps) which changes risk profile3

I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Damaging
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
Lateral attacks trigger another
increase in risk profile4

I0I0 0I00 I00I
I0I0 0I00 I00I
I0I0 0I00 I00I
AMP
Cisco ISE
Convicted
Destination
Worker
Guest
Finance
E-mail
Internet
Remediation
Source
Worker
Guest
Risk L1
Risk L2
Risk L3
Risk L4
Access Policy
Device is isolated in the Remediation
security group5

• Overview:
https://www.cisco.com/c/en/us/solutions/enterprise-
networks/rapid-threat-containment/index.html
Know More: Rapid Threat Containment

Mimic:
Sharing Threat Intel Between Vendors
• Find: Evidence of a compromise
and actor.
stage

Memorize every console and jump between them as fast as you can…
…or…
buy a SIEM and…
connect that SIEM to all the things and…
get the SIEM producing and…
keep that SIEM producing

Solution:
Threat Grid
Accelerate malware threat detection and response with a powerful API that integrates
and automates existing security products and processes.

Supported Integrations & PartnersAMP Solutions Select Recipe Integrations Select Threat Feed Integrations
Glove Box interactive malware lab
Automated correlation of behavior between samples
2-way API integration with non-Cisco tools
Advanced file analysis
Cisco AMP Threat Grid Cloud

Supported Integrations & PartnersAMP Solutions Select Recipe Integrations Select Threat Feed Integrations
Glove Box interactive malware lab
Automated correlation of behavior between samples
2-way API integration with non-Cisco tools
Advanced file analysis
Cisco AMP Threat Grid Appliance

DEMOTHREAT GRID

• Overview:
https://www.cisco.com/c/en/us/products/security/threat-
grid/index.html
Know More: Threat Grid

Mimic:
The full lifecycle of Incident Response
• Find: Evidence of a compromise (picking up the scent)
• Fix: verification of the targets (following the scent)
• Finish: Take action against the attack (eradicating the source)
and actor.
stage

Find: Threat intel (external)
Fix: Match to targets in your environment (internal)
Finish: Stop the attack (internal)
Exploit: Collect internal intel from the finish stage (internal)
Analyze: Add external info to deepen understanding (external)
Disseminate: Publish the results to repeat the Find phase (internal)

Solution:
Cisco Threat Response
Simplifies security investigations and incident response. It aggregates threat intelligence,
enriches that intelligence with context from your organization, and shows where you’re
impacted. And it places response actions right at your fingertips.

UNSTRUCTURED
SNAP-
SHOTS
CASE-
BOOKS
QUERY ALL ONE-CLICK QUERY ALL ONE-CLICK PORTABLE
CTR
DISSEMINATEANALYZEEXPLOITFINISHFIXFIND
SOURCES
SOURCES
SOURCES
TOOL
TOOL
TOOL
TOOL
TOOL
TOOL
TOOL
SOURCE
SOURCE
SOURCE
SOURCE
SOURCE
SOURCE
SOURCE
ACTION
ACTION
ACTION
ACTION
ACTION
ACTION
ACTION
PIVOT
PIVOT
PIVOT
PIVOT
PIVOT
PIVOT
PIVOT
1.8
or…

DEMOCISCO THREAT RESPONSE

• Overview:
https://www.cisco.com/c/en/us/products/security/threat-
response.html
Know More: Cisco Threat Response (CTR)

CONCLUSION

Cisco Connect Ottawa 2018 sixty to zero

Cisco Connect Ottawa 2018 sixty to zero

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Connect Ottawa 2018 sixty to zero

Similar to Cisco Connect Ottawa 2018 sixty to zero (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Connect Ottawa 2018 sixty to zero