SlideShare a Scribd company logo

Behind the Curtain: Exposing Advanced Threats

Cisco Canada
Cisco Canada

Today's advanced threats hide in plain sight, patiently waiting to strike, challenging security teams to track their progress across their network and endpoints. Meanwhile, executive and board-level reporting requirements are increasing as leadership demands in-depth answers that are unavailable from today’s block/allow security tools. With 55% of organizations unable to identify the origin of their last security breach, it’s time to stop relying on tools that define security based on what they see ‘out there’ and instead hunt for threats by tracking files, file relationships, and both endpoint and network behavior ‘in here’—inside your environment. In the first part of this interactive session, learn how Cisco’s Advanced Malware Protection (AMP) solutions use big data analytics to compare a real-time, dynamic history of your environment to the global threat landscape, automatically uncovering and blocking advanced threats before they strike. Then watch workflow examples demonstrating how your security team can use this advanced visibility and control to dramatically improve their efficiency and finally deliver the business 100% confidence answers.

Technology
1 of 46
Download to read offline
Advanced Threat Solutions seearhar@cisco.com / 647-988-4945 Sean Earhard Advanced Threat Solutions CSE jkerouan@cisco.com / 647-929-5938 Jean-Paul Kerouanton EXPOSING ADVANCED THREATSAMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 HOW QUICKLY CAN YOURTEAM—AND YOUR SECURITY VENDORS—DELIVER THEANSWERS TO THESE QUESTIONS:  WHERE DID IT ORIGINATE?  HOW DID IT SUCCEED?  HOW MANY MACHINES/USERS?  WHAT IS IT DOING NOW?  HOW CAN IT BE STOPPED?  WITH 100% CONFIDENCE?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 24 HOURS INENTERPRISE SECURITY vs. SYSTEMS WILL SUCCESSFULLY STOP A THREAT 72 32 SYSTEMS WILL BE FOUND TO BE BREACHED 6 24 BREACHED SYSTEMS WILL HAVE BEEN BREACHED FOR OVER A WEEK 1 3 DEPLOYED SYSTEMS HAVING VULNERABLE SOFTWARE 48% 28% MORE LIKELY TO BE BREACHED IF A VULNERABLE APPLICATION EXISTS 62% 39% MORE LIKELY TO BE BREACHED IF THEY HAVE BEEN BREACHED IN THE PAST 35% 38% 20162015
B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?” “How long does it take us to redefine security in all our tools?” R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. ! I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? ? R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. I M P R O V E D E F E N S E Reducing the attack surface means upgrading security policy – but the average organization manages 34-55 security tools.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 1. BLOCK
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Stay out!
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate THEATTACK CONTINUUM BUDGET BUDGET BUDGETTIME TIME TIME  Firewall  App Control  VPN  Patch Mgmt  Vuln Mgmt  IAM/NAC  IPS  Antivirus  Email/Web  IDS  FPC  Forensics  AMD  Log Mgmt  SIEM  Firewall  App Control  VPN  Patch Mgmt  Vuln Mgmt  IAM/NAC  IPS  Antivirus  Email/Web  IDS  FPC  Forensics  AMD  Log Mgmt  SIEM
antivirus point in time threat inspection This population of threats is 100% effective, 100% of the time network point in time threat inspection web point in time threat inspection email point in time threat inspection BEFORE, DURINGANDAFTER INACTION
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 LEGACY SECURITY PRODUCTION MODEL 1. mass sample collection MALWARE SAMPLE #A4409K 2. prioritized sample processing MALWARE ANALYSIS #A4409K 3. prioritized detection creation SIGNATURE UPDATE #A4409K 4. signature payload distribution TODAY
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 b260653178.exe Firefox user connects to http://www.downloaders.com Downloads an unknown .zip Two files are accessed when the .zip is opened, b260653178.exe, and a PDF. PDF Reader application is opened to read the PDF. Acrobat launches svchost.exe svchost.exe connects to http://192.168.1.12 File #3, connects to 4 IP addresses File #3 opens a dialog window and awaits response. The last unknown file launches calc.exe, hollows the process and begins listening for remote connections Geolocates and then connects to a C&C server 3 files are downloaded but 2 are blocked by AMP File#4 is downloaded AMP Cloud issues a retrospective block ATTACK FLOW EXAMPLE 37% FALSE NEGATIVES ARE COUNTED AS SECURITY ‘WINS’
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 WHATIS GARTNER ADVISINGABOUT THIS?
65% of CEOs say their risk management approach is falling behind. In a new reality where security breaches come at a daily rate, we must move away from trying to achieve the impossible perfect protection and instead invest in detection and response. Organizations should move their investments from 90 percent prevention and 10 percent detection and response to a 60/40 split. Peter Sondergaard Senior VP and Global Head of Research Gartner
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 WHOISTHETOP ‘DETECTIONAND RESPONSE’ VENDOR?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 NSS LABS: BREACH DETECTION SYSTEMS  Over 5 billion discrete data elements  Hundreds of victim machines  Collection and analysis of Terabytes of logs  Hundreds of discrete samples used in current campaigns  Exploits, malware, and evasion testing was performed using regularly abused compromise mediums such as web and email—leveraging multiple common document types  Over 100 unique evasion mechanics were tested ONLY VENDOR TO BLOCK 100% OF EVASION TECHNIQUES TOP VENDOR 2 YEARS IN A ROW CISCO AMP RATED 99.2% EFFECTIVE AMP
2015 Gartner MQ for Intrusion Prevention Systems “The Advanced Malware Protection (AMP) products provide a quicker path to adding advanced threat capabilities… competing well against stand-alone and established advanced persistent threat (APT) solution vendors.”
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 THE CISCO RESPONSE
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 OVERVIEWAMP
Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600 engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP Community Private/Public Threat Feeds Talos Security Intelligence AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Email Endpoints Web Networks IPS Devices WWW Automatic updates in real time 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100 1001 1101 1110011 0110011 101000 0110 00 Cisco® Collective Security Intelligence Cisco Collective Security Intelligence Cloud AMP Advanced Malware Protection 3.5 BILLION SEARCHES TODAY 18.5B CLOUDAMP 20.1 BILLION THREATS BLOCKED TODAY TALOS THE CISCO SECURITY AND INTELLIGENCE RESEARCH GROUP
AMP CONTINUOUSLY RECORD ACTIVITY REGARDLESS OF DISPOSITION
AMP CLOUD PRIVATE CLOUD AMP ThreatGrid
CONTINUOUS BACKGROUND ANALYSIS vs. AMP CLOUD SYSTEMIC RESPONSE RETROSPECTIVE DETECTION
HQ STORE: POS DATA CENTER ENDPOINT MALWARE EVENTS SHARED AMPAMPAMPAMPAMP AMPAMPAMP AMP AMP AMP AMP THREATGRID AMP OR TALOS SECURITY AND INTELLIGENCE RESEARCH FireSIGHT AMP APPLIANCE (NGIPS) AMP CLOUDAMP AMP FOR ENDPOINTS THREATGRID DYNAMIC ANALYSIS CISCO W EB CISCO EMAIL AMP AMP ASA + FPS AMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 AMP WORKFLOW IN ACTION
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 AMP INFRASTRUCTURE AMP ARCHITECTURE TALOS AMP FOR ENDPOINT FIRESIGHT MANAGEMENT CENTER AMP APPLIANCE (NGIPS) AMP THREATGRID DYNAMIC ANALYSIS EQUIVALENT COMPETITIVE ARCHITECTURE
B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. × ! ? “How are we finding these failures in our environment?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them.
NETWORK: • Start with Blocking: IP, IPS, Files • Tracking Files: Good, Unknown, Bad • Unknown Files = Dynamic Analysis • Retrospective Events ENDPOINT • Tracking Files • Tracking Behavior • Blocking examples: IP, IoC, Files • Dynamic Analysis • Retrospective Events
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 L b260653178.exe Firefox user connects to http://www.downloaders.com Downloads an unknown .zip Two files are accessed when the .zip is opened, b260653178.exe, and a PDF. PDF Reader application is opened to read the PDF. Acrobat launches svchost.exe svchost.exe connects to http://192.168.1.12 File #3, connects to 4 IP addresses File #3 opens a dialog window and awaits response. The last unknown file launches calc.exe, hollows the process and begins listening for remote connections Low prevalence analysis delivers a retrospective block Tries to geolocate and then connect to a C&C server 3 files are downloaded but 2 are blocked by AMP File#4 is downloaded AMP Cloud issues a retrospective block DEVICE TRAJECTORY TRIGGERED FILE TRAJECTORY TRIGGERED THREATGRID DYNAMIC ANALYSIS TRIGGERED SNORT RULE ANALYSIS TRIGGERED RETROSPECTIVE BLOCK SYSTEMIC BLOCK LOW PREVALENCE THREATGRID DYNAMIC ANALYSIS TRIGGERED L AMP FOR NETWORK AMP FOR ENDPOINT DETECTION ATTACK FLOW vs. AMP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 2. RESPOND TO ALERTS
R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts.
• Alert overload example • Unfiltered: List of Intrusion Events • By Impact: List of Intrusion Events • How? Passive Discovery Overview • Endpoint: Vulnerable Software
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 3. INVESTIGATE INCIDENTS
R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes.
Workflow: Investigate Incidents • Network • Endpoint
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 4. REIMAGE AND RECOVER
R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes. S Y S T E M I C R E S P O N S E AMP works through the cloud, enforcing security response everywhere it is installed. Before we can react to alert, AMP is already blocking on the network, endpoints – even laptops off our network, email and web.
Systemic Response • Example Move beyond blind reimaging: • Identify root cause (review) • Roll back time even after reimaging
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 5. IMPROVE DEFENSE
R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. I M P R O V E D E F E N S E Reducing the attack surface means upgrading security policy – but the average organization manages 34-55 security tools. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?” “How long does it take us to redefine security in all our tools?”
C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. “AMP finds what our other tools miss” “We used to have to choose from 1,000’s of alerts…now we know the 4-6 critical alerts for our environment” “What used to take us 2 weeks or 2 months now takes us 2 minutes” “Instead of spending 4 hours each day chasing our tools, we’re blocking everywhere, automatically”“It would have taken 2 hours a day to do what’s being done automatically ” V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes. S Y S T E M I C R E S P O N S E AMP works through the cloud, enforcing security response everywhere it is installed. Before we can react to alert, AMP is already blocking on the network, endpoints – even laptops off our network, email and web. S H A R E D S E C U R I T Y I N T E L L I G E N C E With AMP ThreatGrid, both Cisco industry partners and non- Cisco solutions can benefit from dynamic analysis executed by AMP, automatically improving your defense.
Integration • How sharing Threat Intelligence works • Adding integration • Invitation to review your environment?
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 Shares the results of dynamic analysis (sandboxing) of your files, and threat intelligence feeds, with your existing security. • Firewall • IPS/IDS • Gatway/Proxy • Network Taps • SIEM • Log Management • Endpoint Security • Other tools THREATGRID TG THREATGRID OR
NEXT STEPS 1. “Cisco AMP” 2. Scoping Call 3. Custom Demo 4. POC Sean Earhard seearhar@cisco.com / 647-988-4945

Recommended

Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber Security
Cisco Canada
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Canada
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your business
Cisco Canada
 
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Canada
 
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco Canada
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
Cisco Canada
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simple
Cisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
 

Recommended

Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber Security
Cisco Canada
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Canada
 
Ignite your network digitize your business
Ignite your network digitize your businessIgnite your network digitize your business
Ignite your network digitize your business
Cisco Canada
 
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation BranchCisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Intelligent Branch - Enabling the Next Generation Branch
Cisco Canada
 
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco Canada
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
Cisco Canada
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simple
Cisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
Cisco Canada
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
Oscar Romano
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Canada
 
Secure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDMSecure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDM
Bill McGee
 
Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco Canada
 
Cisco ASA con fire power services
Cisco ASA con fire power services Cisco ASA con fire power services
Cisco ASA con fire power services
Felipe Lamus
 
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural designCisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
Cisco Canada
 
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi ExperienceCisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Canada
 
Putting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation FirewallPutting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation Firewall
Cisco Canada
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security Architecture
Cisco Canada
 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Canada
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
Global Knowledge Training
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bell
Cisco Canada
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
Cisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is now
Cisco Canada
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Driver recruiter - Multiple Locations CA, NV, TN
Driver recruiter - Multiple Locations CA, NV, TNDriver recruiter - Multiple Locations CA, NV, TN
Driver recruiter - Multiple Locations CA, NV, TN
Angelene Green
 
Virus que apaga
Virus que apagaVirus que apaga
Virus que apaga
Júnior Oliveira
 

More Related Content

What's hot

Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
Cisco Canada
 
Secure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDMSecure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDM
Bill McGee
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
Global Knowledge Training
 

What's hot (20)

Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Cisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attackCisco Connect Halifax 2018 Anatomy of attack
Cisco Connect Halifax 2018 Anatomy of attack
 
Secure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDMSecure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDM
 
Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...
 
Cisco ASA con fire power services
Cisco ASA con fire power services Cisco ASA con fire power services
Cisco ASA con fire power services
 
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural designCisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
 
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi ExperienceCisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
 
Putting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation FirewallPutting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation Firewall
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security Architecture
 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bell
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
 
Cisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is now
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 

Viewers also liked

Evasesión25 26
Evasesión25 26Evasesión25 26
Evasesión25 26
keithlerma
 
Accidente Cerebrovascular
Accidente CerebrovascularAccidente Cerebrovascular
Accidente Cerebrovascular
Virginia Reyes
 

Viewers also liked (14)

Driver recruiter - Multiple Locations CA, NV, TN
Driver recruiter - Multiple Locations CA, NV, TNDriver recruiter - Multiple Locations CA, NV, TN
Driver recruiter - Multiple Locations CA, NV, TN
 
Virus que apaga
Virus que apagaVirus que apaga
Virus que apaga
 
Evasesión25 26
Evasesión25 26Evasesión25 26
Evasesión25 26
 
Windodws xp
Windodws xpWindodws xp
Windodws xp
 
Presentación cristhian bogado
Presentación cristhian bogadoPresentación cristhian bogado
Presentación cristhian bogado
 
Los 5 métodos de la propaganda
Los 5 métodos de la propagandaLos 5 métodos de la propaganda
Los 5 métodos de la propaganda
 
certoffirstaid
certoffirstaidcertoffirstaid
certoffirstaid
 
Aborboletaazul
AborboletaazulAborboletaazul
Aborboletaazul
 
Quote of the Day #1
Quote of the Day #1Quote of the Day #1
Quote of the Day #1
 
Sistema nacional de control jzr (acceso libre)2
Sistema nacional de control jzr (acceso libre)2Sistema nacional de control jzr (acceso libre)2
Sistema nacional de control jzr (acceso libre)2
 
Ch 9 PowerPoint
Ch 9 PowerPointCh 9 PowerPoint
Ch 9 PowerPoint
 
Proyecto minerva (1)
Proyecto minerva (1)Proyecto minerva (1)
Proyecto minerva (1)
 
Accidente Cerebrovascular
Accidente CerebrovascularAccidente Cerebrovascular
Accidente Cerebrovascular
 
Mapa conceptual medios impresos y digitales
Mapa conceptual medios impresos y digitalesMapa conceptual medios impresos y digitales
Mapa conceptual medios impresos y digitales
 

Similar to Behind the Curtain: Exposing Advanced Threats

[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
IBM Security
 

Similar to Behind the Curtain: Exposing Advanced Threats (20)

Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation Security
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
Two for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content ProtectionTwo for Attack: Web and Email Content Protection
Two for Attack: Web and Email Content Protection
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
 

More from Cisco Canada

More from Cisco Canada (20)

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Behind the Curtain: Exposing Advanced Threats

  • 1. Advanced Threat Solutions seearhar@cisco.com / 647-988-4945 Sean Earhard Advanced Threat Solutions CSE jkerouan@cisco.com / 647-929-5938 Jean-Paul Kerouanton EXPOSING ADVANCED THREATSAMP
  • 2. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 HOW QUICKLY CAN YOURTEAM—AND YOUR SECURITY VENDORS—DELIVER THEANSWERS TO THESE QUESTIONS:  WHERE DID IT ORIGINATE?  HOW DID IT SUCCEED?  HOW MANY MACHINES/USERS?  WHAT IS IT DOING NOW?  HOW CAN IT BE STOPPED?  WITH 100% CONFIDENCE?
  • 3. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 24 HOURS INENTERPRISE SECURITY vs. SYSTEMS WILL SUCCESSFULLY STOP A THREAT 72 32 SYSTEMS WILL BE FOUND TO BE BREACHED 6 24 BREACHED SYSTEMS WILL HAVE BEEN BREACHED FOR OVER A WEEK 1 3 DEPLOYED SYSTEMS HAVING VULNERABLE SOFTWARE 48% 28% MORE LIKELY TO BE BREACHED IF A VULNERABLE APPLICATION EXISTS 62% 39% MORE LIKELY TO BE BREACHED IF THEY HAVE BEEN BREACHED IN THE PAST 35% 38% 20162015
  • 4. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?” “How long does it take us to redefine security in all our tools?” R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. ! I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? ? R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. I M P R O V E D E F E N S E Reducing the attack surface means upgrading security policy – but the average organization manages 34-55 security tools.
  • 5. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 1. BLOCK
  • 6. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Stay out!
  • 7. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate THEATTACK CONTINUUM BUDGET BUDGET BUDGETTIME TIME TIME  Firewall  App Control  VPN  Patch Mgmt  Vuln Mgmt  IAM/NAC  IPS  Antivirus  Email/Web  IDS  FPC  Forensics  AMD  Log Mgmt  SIEM  Firewall  App Control  VPN  Patch Mgmt  Vuln Mgmt  IAM/NAC  IPS  Antivirus  Email/Web  IDS  FPC  Forensics  AMD  Log Mgmt  SIEM
  • 8. antivirus point in time threat inspection This population of threats is 100% effective, 100% of the time network point in time threat inspection web point in time threat inspection email point in time threat inspection BEFORE, DURINGANDAFTER INACTION
  • 9. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 LEGACY SECURITY PRODUCTION MODEL 1. mass sample collection MALWARE SAMPLE #A4409K 2. prioritized sample processing MALWARE ANALYSIS #A4409K 3. prioritized detection creation SIGNATURE UPDATE #A4409K 4. signature payload distribution TODAY
  • 10. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 b260653178.exe Firefox user connects to http://www.downloaders.com Downloads an unknown .zip Two files are accessed when the .zip is opened, b260653178.exe, and a PDF. PDF Reader application is opened to read the PDF. Acrobat launches svchost.exe svchost.exe connects to http://192.168.1.12 File #3, connects to 4 IP addresses File #3 opens a dialog window and awaits response. The last unknown file launches calc.exe, hollows the process and begins listening for remote connections Geolocates and then connects to a C&C server 3 files are downloaded but 2 are blocked by AMP File#4 is downloaded AMP Cloud issues a retrospective block ATTACK FLOW EXAMPLE 37% FALSE NEGATIVES ARE COUNTED AS SECURITY ‘WINS’
  • 11. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 WHATIS GARTNER ADVISINGABOUT THIS?
  • 12. 65% of CEOs say their risk management approach is falling behind. In a new reality where security breaches come at a daily rate, we must move away from trying to achieve the impossible perfect protection and instead invest in detection and response. Organizations should move their investments from 90 percent prevention and 10 percent detection and response to a 60/40 split. Peter Sondergaard Senior VP and Global Head of Research Gartner
  • 13. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 WHOISTHETOP ‘DETECTIONAND RESPONSE’ VENDOR?
  • 14. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 NSS LABS: BREACH DETECTION SYSTEMS  Over 5 billion discrete data elements  Hundreds of victim machines  Collection and analysis of Terabytes of logs  Hundreds of discrete samples used in current campaigns  Exploits, malware, and evasion testing was performed using regularly abused compromise mediums such as web and email—leveraging multiple common document types  Over 100 unique evasion mechanics were tested ONLY VENDOR TO BLOCK 100% OF EVASION TECHNIQUES TOP VENDOR 2 YEARS IN A ROW CISCO AMP RATED 99.2% EFFECTIVE AMP
  • 15. 2015 Gartner MQ for Intrusion Prevention Systems “The Advanced Malware Protection (AMP) products provide a quicker path to adding advanced threat capabilities… competing well against stand-alone and established advanced persistent threat (APT) solution vendors.”
  • 16. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 THE CISCO RESPONSE
  • 17. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 OVERVIEWAMP
  • 18. Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600 engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 4.3 billion web blocks per day 40+ languages 1.1 million incoming malware samples per day AMP Community Private/Public Threat Feeds Talos Security Intelligence AMP Threat Grid Intelligence AMP Threat Grid Dynamic Analysis 10 million files/month Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities AEGIS Program Email Endpoints Web Networks IPS Devices WWW Automatic updates in real time 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 101000 0110 00 0111000 111010011 101 1100001 1100001110001110 1001 1101 1110011 0110011 10100 1001 1101 1110011 0110011 101000 0110 00 Cisco® Collective Security Intelligence Cisco Collective Security Intelligence Cloud AMP Advanced Malware Protection 3.5 BILLION SEARCHES TODAY 18.5B CLOUDAMP 20.1 BILLION THREATS BLOCKED TODAY TALOS THE CISCO SECURITY AND INTELLIGENCE RESEARCH GROUP
  • 22. HQ STORE: POS DATA CENTER ENDPOINT MALWARE EVENTS SHARED AMPAMPAMPAMPAMP AMPAMPAMP AMP AMP AMP AMP THREATGRID AMP OR TALOS SECURITY AND INTELLIGENCE RESEARCH FireSIGHT AMP APPLIANCE (NGIPS) AMP CLOUDAMP AMP FOR ENDPOINTS THREATGRID DYNAMIC ANALYSIS CISCO W EB CISCO EMAIL AMP AMP ASA + FPS AMP
  • 23. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 AMP WORKFLOW IN ACTION
  • 24. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 AMP INFRASTRUCTURE AMP ARCHITECTURE TALOS AMP FOR ENDPOINT FIRESIGHT MANAGEMENT CENTER AMP APPLIANCE (NGIPS) AMP THREATGRID DYNAMIC ANALYSIS EQUIVALENT COMPETITIVE ARCHITECTURE
  • 25. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. × ! ? “How are we finding these failures in our environment?”
  • 26. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them.
  • 27. NETWORK: • Start with Blocking: IP, IPS, Files • Tracking Files: Good, Unknown, Bad • Unknown Files = Dynamic Analysis • Retrospective Events ENDPOINT • Tracking Files • Tracking Behavior • Blocking examples: IP, IoC, Files • Dynamic Analysis • Retrospective Events
  • 28. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 L b260653178.exe Firefox user connects to http://www.downloaders.com Downloads an unknown .zip Two files are accessed when the .zip is opened, b260653178.exe, and a PDF. PDF Reader application is opened to read the PDF. Acrobat launches svchost.exe svchost.exe connects to http://192.168.1.12 File #3, connects to 4 IP addresses File #3 opens a dialog window and awaits response. The last unknown file launches calc.exe, hollows the process and begins listening for remote connections Low prevalence analysis delivers a retrospective block Tries to geolocate and then connect to a C&C server 3 files are downloaded but 2 are blocked by AMP File#4 is downloaded AMP Cloud issues a retrospective block DEVICE TRAJECTORY TRIGGERED FILE TRAJECTORY TRIGGERED THREATGRID DYNAMIC ANALYSIS TRIGGERED SNORT RULE ANALYSIS TRIGGERED RETROSPECTIVE BLOCK SYSTEMIC BLOCK LOW PREVALENCE THREATGRID DYNAMIC ANALYSIS TRIGGERED L AMP FOR NETWORK AMP FOR ENDPOINT DETECTION ATTACK FLOW vs. AMP
  • 29. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 2. RESPOND TO ALERTS
  • 30. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?”
  • 31. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts.
  • 32. • Alert overload example • Unfiltered: List of Intrusion Events • By Impact: List of Intrusion Events • How? Passive Discovery Overview • Endpoint: Vulnerable Software
  • 33. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 3. INVESTIGATE INCIDENTS
  • 34. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?”
  • 35. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes.
  • 36. Workflow: Investigate Incidents • Network • Endpoint
  • 37. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 4. REIMAGE AND RECOVER
  • 38. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?”
  • 39. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes. S Y S T E M I C R E S P O N S E AMP works through the cloud, enforcing security response everywhere it is installed. Before we can react to alert, AMP is already blocking on the network, endpoints – even laptops off our network, email and web.
  • 40. Systemic Response • Example Move beyond blind reimaging: • Identify root cause (review) • Roll back time even after reimaging
  • 41. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 5. IMPROVE DEFENSE
  • 42. R E S P O N D T O A L E R T S Security tools generate 100’s, even 1,000’s of alerts each day. Any one of those could be a breach in progress. I N V E S T I G A T E I N C I D E N T S When a cybersecurity incident impacts the business, the business needs answers: • Where did it start? • How did it succeed? • How long have we been compromised? • How many machines are impacted? • How can it be stopped? B L O C K Protection fails. Today, 1.5M unique threats will be discovered – even 99.9% protection will fail 1,500 times. R E I M A G E + R E C O V E R Reimaging is not recovering. The average compromised machine remains undiscovered for 200+ days. I M P R O V E D E F E N S E Reducing the attack surface means upgrading security policy – but the average organization manages 34-55 security tools. TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED × ! ? “How are we finding these failures in our environment?” “How do we know we’re responding to the right alerts?” “How long does it take us to answer these questions?” “How long does it take us to find the rest of the machines compromised by the same attack?” “How long does it take us to redefine security in all our tools?”
  • 43. C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y AMP blocks threats, but it doesn’t stop there. AMP uses big data analytics to continuously analyze the history of endpoint and network behavior in your environment – uncovering advanced threats and rewinding history to block them. T H E P O W E R O F C O N T E X T In real-time, AMP Appliances passively discover the environment they are protecting – mapping the vulnerabilities of each host. An attack leveraging actual vulnerabilities of the target host is a true top alerts. “AMP finds what our other tools miss” “We used to have to choose from 1,000’s of alerts…now we know the 4-6 critical alerts for our environment” “What used to take us 2 weeks or 2 months now takes us 2 minutes” “Instead of spending 4 hours each day chasing our tools, we’re blocking everywhere, automatically”“It would have taken 2 hours a day to do what’s being done automatically ” V I S I B I L I T Y + C O N T R O L Because AMP records the history of the environment, your team can quickly scroll back time to discover what happened. • Identify ‘patient zero’ – the first victim. • Determine the attack scope – how malware traversed the organization. • Contain the event, understanding all affected systems. • Remediate quickly, focusing on high-priority events and systems. • Prevent reinfection by identifying the root causes. S Y S T E M I C R E S P O N S E AMP works through the cloud, enforcing security response everywhere it is installed. Before we can react to alert, AMP is already blocking on the network, endpoints – even laptops off our network, email and web. S H A R E D S E C U R I T Y I N T E L L I G E N C E With AMP ThreatGrid, both Cisco industry partners and non- Cisco solutions can benefit from dynamic analysis executed by AMP, automatically improving your defense.
  • 44. Integration • How sharing Threat Intelligence works • Adding integration • Invitation to review your environment?
  • 45. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 Shares the results of dynamic analysis (sandboxing) of your files, and threat intelligence feeds, with your existing security. • Firewall • IPS/IDS • Gatway/Proxy • Network Taps • SIEM • Log Management • Endpoint Security • Other tools THREATGRID TG THREATGRID OR
  • 46. NEXT STEPS 1. “Cisco AMP” 2. Scoping Call 3. Custom Demo 4. POC Sean Earhard seearhar@cisco.com / 647-988-4945